RHCS: OCSP Publishing via LDAP replication does not occur before response expires.

Solution Unverified - Updated -

Issue

  • RHCS: OCSP Publishing via LDAP replication does not occur before response expires.
  • In RHCS environment, two dedicated OCSP responders are configured
ocsp01.pki.example.com
ocsp02.pki.example.com

Each of these is backed by a dedicated RHDS 10 node:

ocsp01.ldap.example.com
ocsp02.ldap.example.com

ocsp01.pki.example.com only talks to ocsp01.ldap.example.com, etc. LDAP replication is used on the backend between the OCSP LDAP nodes.

Given the limitations of RHCS OCSP publishing that only one CA server can publish the CRL to the OCSP responders, the architecture is for publishing is configured as below:

ca01.pki.example.com -> ocsp01.pki.example.com 

ocsp01.ldap.example.com -> ocsp02.ldap.example.com

Replication happens via LDAP and works fine.

The issue is observer when ocsp02.pki.example.com nodes will return an invalid OCSP response for about 30 minutes after the OCSP response expires.

Environment

  • Red Hat Certificate System 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content