Hide Forgot
Description of problem: We're testing http + mod_nss + "NSSOCSP on" to verify that certificates are revoked. We get the following errors in log file: -SSL Library Error: -8071 The OCSP server experienced an internal error -Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. The server works perfectly in ssl mode (NSSOCSP off). Version-Release number of selected component (if applicable): httpd-2.4.6-2.fc18.x86_64 mod_nss-1.0.8-24.fc18.x86_64 ocspd-1.9.0-1.fc18.x86_64 openssl-1.0.1e-30.fc18.x86_64 openssl-libs-1.0.1e-30.fc18.x86_64 How reproducible: Easy Steps to Reproduce: 1. Install mod_nss-1.0.8-24.fc18.x86_64 2. Configure /etc/httpd/conf.d/nss.conf ... NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSVerifyClient require ... NSSOCSP on NSSOCSPDefaultResponder on NSSOCSPDefaultURL http://192.168.88.132:2560 NSSOCSPDefaultName ocspd ... LogLevel nss:trace2 ... 3. Remove certificates from /etc/httpd/alias nss database # certutil -K -n Server-Cert -d /etc/httpd/alias # certutil -D -n cacert -d /etc/httpd/alias # certutil -D -n alpha -d /etc/httpd/alias 4. Install new certificates for server and ocsp into /etc/httpd/alias nss database: all certificates have been generated with openssl, with "NSSOCSP off" httpd works perfectly in ssl mode, and the ocsp responder answers to openssl command: # openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -cert jose.crt Response verify OK jose.crt: good This Update: Dec 1 06:56:12 2013 GMT Next Update: Dec 7 14:16:58 2013 GMT # openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -cert fred.crt Response verify OK fred.crt: revoked This Update: Dec 1 06:56:12 2013 GMT Next Update: Dec 7 14:17:48 2013 GMT Reason: superseded Revocation Time: Dec 1 05:41:26 2013 GMT # openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -serial 3 Response verify OK 3: revoked This Update: Dec 1 06:56:12 2013 GMT Next Update: Dec 7 14:18:36 2013 GMT Reason: superseded Revocation Time: Dec 1 05:41:26 2013 GMT # certutil -A -n "signing-ca" -t "CT,," -d /etc/httpd/alias -a -i signing-ca.crt # certutil -A -n "root-ca" -t "CT,," -d /etc/httpd/alias -a -i root-ca.crt # certutil -A -n "ocspd" -t "CT,," -d /etc/httpd/alias -a -i ocspd.crt # openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "Server-Cert" -passout pass:foo # pk12util -i server.p12 -d /etc/httpd/alias -W foo # certutil -L -d /etc/httpd/nssdb/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI signing-ca CT,, root-ca CT,, Server-Cert u,u,u ocspd CT,, # certutil -K -d /etc/httpd/nssdb/ certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa d7179b5f122c582cefc61b99d7eb9c2f244c1e19 Server-Cert # certutil -O -n Server-Cert -d /etc/httpd/nssdb/ "root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org] "signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org] "Server-Cert" [CN=192.168.88.131,OU=Simple Server,O=Simple Inc,DC=simple,DC=org] # certutil -O -n ocspd -d /etc/httpd/alias "root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org] "signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org] "ocspd" [CN=192.168.88.132,OU=Simple OCSPD,O=Simple Inc,DC=simple,DC=org] Actual results: [Sat Dec 07 14:28:55.720062 2013] [:error] [pid 6382:tid 140000995559488] SSL Library Error: -8071 The OCSP server experienced an internal error [Sat Dec 07 14:28:55.720096 2013] [:error] [pid 6382:tid 140000995559488] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. The server httpd doesn't start. Expected results: The server httpd starts and query de ocsp server with answer like: "SSL Library Error: -8180 Certificate has been revoked" when the certificate is revoked. Additional info:
Hi: I have continued with testing httpd + mod_nss + "NSSOCSP on", I can say the error is due to the ocsp responder is stopped, if the ocsp responder is started httpd starts and the communication with the ocspd works fine. At first I think there was a problem with certificates and their ca chains but not. I think this a serious problem that confusing me with and not referenced in any documentation I read, httpd must start even if ocspd is not started and display the WARNING but this can not be an error, it could be a possible solution to check ocspd at regular intervals. Please, can you solve this? Thanks. José Luis
The initial error message seemed clear to me, stating that the OCSP check failed. It is purposely a big hammer, not starting the server at all, if the certificate cannot be verified. I'd be more inclined to improve the "We aren't starting because..." error message.
This message is a reminder that Fedora 18 is nearing its end of life. Approximately 4 (four) weeks from now Fedora will stop maintaining and issuing updates for Fedora 18. It is Fedora's policy to close all bug reports from releases that are no longer maintained. At that time this bug will be closed as WONTFIX if it remains open with a Fedora 'version' of '18'. Package Maintainer: If you wish for this bug to remain open because you plan to fix it in a currently maintained version, simply change the 'version' to a later Fedora version prior to Fedora 18's end of life. Thank you for reporting this issue and we are sorry that we may not be able to fix it before Fedora 18 is end of life. If you would still like to see this bug fixed and are able to reproduce it against a later version of Fedora, you are encouraged change the 'version' to a later Fedora version prior to Fedora 18's end of life. Although we aim to fix as many bugs as possible during every release's lifetime, sometimes those efforts are overtaken by events. Often a more recent Fedora release includes newer upstream software that fixes bugs or makes them obsolete.
This bug appears to have been reported against 'rawhide' during the Fedora 22 development cycle. Changing version to '22'. More information and reason for this action is here: https://fedoraproject.org/wiki/Fedora_Program_Management/HouseKeeping/Fedora22
Per discussion with rcritten, will try to fix this upstream as time permits for inclusion in some future release. (better OCSP error msg at startup)
Fedora 22 changed to end-of-life (EOL) status on 2016-07-19. Fedora 22 is no longer maintained, which means that it will not receive any further security or bug fix updates. As a result we are closing this bug. If you can reproduce this bug against a currently maintained version of Fedora please feel free to reopen this bug against that version. If you are unable to reopen this bug, please file a new report against the current release. If you experience problems, please add a comment to this bug. Thank you for reporting this bug and we are sorry it could not be fixed.
Re-opening, still need a more descriptive error.
This bug appears to have been reported against 'rawhide' during the Fedora 25 development cycle. Changing version to '25'.
Looked at this again and still think the error was rather clear from a client perspective. It would be nicer if NSS would report better errors but from the context of NSS all I know is that verifying the server certificate failed with a given error code. I could add more text but it would just be restating the problem. I'm going to leave things as-is.