On Fri, Mar 06, 2020 at 08:09:59AM -0000, Hristina Marosevic wrote:
this looks like some progress. Please check p11_child.log which might
contain detail why SSSD thinks the certificate is not valid. By default
SSSD will check the certificate with the help of the CA certificates and
does OCSP if the certificate contains the needed OCSP data.
To disable OCSP, since your system cannot reach the OCSP responder,
certificate_verification = no_ocsp
to the [sssd] section of sssd.conf and restart SSSD. For testing you can
even use 'no_verification' but this is should not be used in production
(see man sssd.conf for details).
Which version of SSSD are you using? Depending on the version you might
have to add the CA certificates to different locations, please check the
'ca_db' option described in man sssd.conf for details as well.
Can you please check the comment bellow?
(I didn't quote your text there, so I am not sure if you got a notification for my