On Fri, Mar 06, 2020 at 08:09:59AM -0000, Hristina Marosevic wrote:
Hi,
this looks like some progress. Please check p11_child.log which might contain detail why SSSD thinks the certificate is not valid. By default SSSD will check the certificate with the help of the CA certificates and does OCSP if the certificate contains the needed OCSP data.
To disable OCSP, since your system cannot reach the OCSP responder, please add
certificate_verification = no_ocsp
to the [sssd] section of sssd.conf and restart SSSD. For testing you can even use 'no_verification' but this is should not be used in production (see man sssd.conf for details).
Which version of SSSD are you using? Depending on the version you might have to add the CA certificates to different locations, please check the 'ca_db' option described in man sssd.conf for details as well.
bye, Sumit
Can you please check the comment bellow? (I didn't quote your text there, so I am not sure if you got a notification for my comment)
BR, Hristina