Bug 1657922

Summary: CC: CA/OCSP startup fail on SystemCertsVerification if enableOCSP is true [rhel-7.6.z]
Product: Red Hat Enterprise Linux 7 Reporter: RAD team bot copy to z-stream <autobot-eus-copy>
Component: pki-coreAssignee: Jack Magne <jmagne>
Status: CLOSED ERRATA QA Contact: Asha Akkiangady <aakkiang>
Severity: unspecified Docs Contact: Marc Muehlfeld <mmuehlfe>
Priority: high    
Version: 7.6CC: akahat, jmagne, mharmsen
Target Milestone: rcKeywords: TestCaseProvided, ZStream
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: pki-core-10.5.9-9.el7_6 Doc Type: Bug Fix
Doc Text:
Previously, when a CA or OCSP subsystem that was configured with OCSP checking was restarted, a self test in Certificate System checked the validity of the subsystem certificates in a subsystem. Due to the presence of OCSP checking, the subsystem failed to start. With this update, the server performs a simpler set of certificate validity tests which do not cause the mentioned problem. As a result, restarting a CA or OCSP subsystem with OCSP checking works correctly. If OCSP checking is not configured and you require the full certificate validity tests, you can restore the old behavior by setting "selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify=true" in the CS.cfg file.
 Story Points: ---
Clone Of: 1641119 Environment:
Last Closed: 2019-01-29 17:21:57 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1641119    
Bug Blocks:    

Description RAD team bot copy to z-stream 2018-12-10 18:15:14 UTC 
This bug has been copied from bug #1641119 and has been proposed to be backported to 7.6 z-stream (EUS).
Comment 2 Matthew Harmsen 2018-12-10 23:41:44 UTC 
Test Procedure:

see https://bugzilla.redhat.com/show_bug.cgi?id=1641119#c6
Comment 6 Amol K 2019-01-16 12:41:47 UTC 
I tested this BZ on 10.5.9-10.el7_6 version.

I tried the steps which are mentioned in #c2. 

- Installation of standalone CA, KRA and OCSP
- Restarted the subsystem and observe the logs.
- Setup selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify=true in subsystem's CS.cfg file. 
- Restarted the subsystem
- I could see that there are different logs after setting selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify=true.

Which is working as expected.

Marking this bug verified.
Comment 9 errata-xmlrpc 2019-01-29 17:21:57 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0168
Comment 10 Red Hat Bugzilla 2023-09-14 04:43:34 UTC 
The needinfo request[s] on this closed bug have been removed as they have been unresolved for 1000 days