Invalid OCSP URI in IPA CA cert /etc/ipa/ca.crt
Issue
- When reading
/etc/ipa/ca.crt
from IPA server, invalidOCSP URI
was found:
$ openssl x509 -in /etc/ipa/ca.crt -text -noout
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 1 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O=EXAMPLE.COM, CN=Certificate Authority
Validity
Not Before: Sep 23 10:18:13 2013 GMT
Not After : Sep 23 10:18:13 2033 GMT
Subject: O=EXAMPLE.COM, CN=Certificate Authority
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
Public-Key: (2048 bit)
Modulus:
00:db:df:06:c3:bc:ba:b6:7d:74:7c:f6:8d:36:dc:
1b:5c:99:df:03:69:21:01:db:bf:e2:67:9e:bb:f2:
83:2c:af:21:77:6f:3f:eb:9b:55:85:a2:fd:c8:61:
f5:f2:14:9e:a2:bc:c1:a9:8b:29:6e:a5:48:d7:ef:
f5:a4:fd:e5:4c:54:a8:ee:d2:ac:e7:ac:6e:3f:83:
dc:50:a8:39:55:d4:c4:79:d3:3c:82:4a:c6:7a:0f:
81:c0:00:1a:d5:03:bc:75:4f:8a:c0:08:1a:5d:79:
f0:f1:33:41:cd:f6:a9:69:11:ec:50:80:2c:43:29:
9e:41:10:41:c3:74:50:09:f4:c0:fa:d3:3a:bf:41:
1f:ef:e4:52:62:61:98:25:36:09:b2:36:d9:b6:10:
18:2e:8e:4a:db:08:45:f7:17:50:1a:61:67:bb:f3:
29:a6:20:2f:9a:ec:ce:8c:b3:0e:ed:39:3a:f2:16:
d1:58:9f:3c:03:6a:fc:2d:79:f6:84:35:aa:63:8d:
c6:e6:6c:5a:89:d2:a3:e5:84:b9:b0:db:27:07:db:
b4:16:9d:10:7d:da:f5:4a:29:fe:dd:df:d5:95:d6:
04:78:3e:95:34:e2:a1:13:f2:be:4f:48:94:ad:eb:
52:b5:fb:e0:71:82:a1:f8:ea:8d:6e:b0:1d:b9:6b:
a3:ad
Exponent: 65537 (0x10001)
X509v3 extensions:
X509v3 Authority Key Identifier:
keyid:D8:0C:FF:CC:83:5B:85:DB:85:C6:E8:BF:86:96:4F:5D:5D:ED:C2:71
X509v3 Basic Constraints: critical
CA:TRUE
X509v3 Key Usage: critical
Digital Signature, Non Repudiation, Certificate Sign, CRL Sign
X509v3 Subject Key Identifier:
D8:0C:FF:CC:83:5B:85:DB:85:C6:E8:BF:86:96:4F:5D:5D:ED:C2:71
Authority Information Access:
OCSP - URI:http://ipaserver1.example.com:80/ca/ocsp <<<====== this is an invalid URI
Signature Algorithm: sha256WithRSAEncryption
2f:92:ef:7b:de:2e:99:5a:97:13:d1:f7:3f:52:23:30:d4:4e:
65:11:4c:38:d4:04:12:35:6f:4b:75:e9:c9:6d:88:9b:e5:5e:
2b:28:89:6f:1a:99:a9:ef:1e:16:fd:28:18:41:e9:f5:45:3c:
3e:12:1e:e7:af:de:cb:fb:6a:f8:e4:93:dd:31:45:44:f5:09:
a0:14:0a:dc:08:bd:04:da:ee:e7:66:4e:4c:e6:48:3c:c4:c7:
04:64:97:32:6a:71:c6:71:92:32:ff:c7:4e:d5:49:c9:6d:b4:
f3:d5:df:35:1a:bc:33:8e:14:5f:e1:ed:ac:e3:f0:af:cb:41:
f1:84:7a:ad:bc:76:3a:e6:ae:00:83:00:7b:18:cf:b5:95:b3:
cf:1d:09:fc:1a:14:44:6e:b3:02:00:77:fe:9e:d4:c4:84:06:
a8:0e:df:75:ff:32:c4:ef:ea:67:1a:04:02:d3:3f:57:63:37:
f3:83:67:80:c4:40:33:fb:08:79:9c:01:b6:0f:78:af:27:12:
6f:d3:b7:9f:08:6f:b3:05:1c:5d:a6:27:36:ca:a1:76:83:b6:
47:b1:03:53:f6:d8:b3:1c:ad:2d:44:a9:6c:23:82:4b:e4:0f:
4a:2e:05:78:44:4b:58:65:9d:1a:5e:6b:f6:04:eb:fe:91:15:
c2:48:96:02
- From the above this line is noticed:
Authority Information Access:
OCSP - URI:http://ipaserver1.example.com:80/ca/ocsp
- The server
ipaserver1.example.com
is not a part of the IPA cluster (anymore). - The correct
OCSP URI
should behttp://ipa-ca.example.com/ca/ocsp
Environment
- Red Hat Enterprise Linux 7.9
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.