RHCS: OCSP Publishing via LDAP replication does not occur before response expires.
Issue
- RHCS: OCSP Publishing via LDAP replication does not occur before response expires.
- In RHCS environment, two dedicated OCSP responders are configured
ocsp01.pki.example.com
ocsp02.pki.example.com
Each of these is backed by a dedicated RHDS 10 node:
ocsp01.ldap.example.com
ocsp02.ldap.example.com
ocsp01.pki.example.com only talks to ocsp01.ldap.example.com, etc. LDAP replication is used on the backend between the OCSP LDAP nodes.
Given the limitations of RHCS OCSP publishing that only one CA server can publish the CRL to the OCSP responders, the architecture is for publishing is configured as below:
ca01.pki.example.com -> ocsp01.pki.example.com
ocsp01.ldap.example.com -> ocsp02.ldap.example.com
Replication happens via LDAP and works fine.
The issue is observer when ocsp02.pki.example.com nodes will return an invalid OCSP response for about 30 minutes after the OCSP response expires.
Environment
- Red Hat Certificate System 9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.