Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1657922 - CC: CA/OCSP startup fail on SystemCertsVerification if enableOCSP is true [rhel-7.6.z] [NEEDINFO]
Summary: CC: CA/OCSP startup fail on SystemCertsVerification if enableOCSP is true [rh...
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core
Version: 7.6
Hardware: Unspecified
OS: Unspecified
Target Milestone: rc
: ---
Assignee: Jack Magne
QA Contact: Asha Akkiangady
Marc Muehlfeld
Depends On: 1641119
TreeView+ depends on / blocked
Reported: 2018-12-10 18:15 UTC by RAD team bot copy to z-stream
Modified: 2019-01-29 17:22 UTC (History)
3 users (show)

Fixed In Version: pki-core-10.5.9-9.el7_6
Doc Type: Bug Fix
Doc Text:
Previously, when a CA or OCSP subsystem that was configured with OCSP checking was restarted, a self test in Certificate System checked the validity of the subsystem certificates in a subsystem. Due to the presence of OCSP checking, the subsystem failed to start. With this update, the server performs a simpler set of certificate validity tests which do not cause the mentioned problem. As a result, restarting a CA or OCSP subsystem with OCSP checking works correctly. If OCSP checking is not configured and you require the full certificate validity tests, you can restore the old behavior by setting "selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify=true" in the CS.cfg file.
Clone Of: 1641119
Last Closed: 2019-01-29 17:21:57 UTC
Target Upstream Version:
mmuehlfe: needinfo? (jmagne)

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0168 0 None None None 2019-01-29 17:22:00 UTC

Description RAD team bot copy to z-stream 2018-12-10 18:15:14 UTC
This bug has been copied from bug #1641119 and has been proposed to be backported to 7.6 z-stream (EUS).

Comment 2 Matthew Harmsen 2018-12-10 23:41:44 UTC
Test Procedure:

see https://bugzilla.redhat.com/show_bug.cgi?id=1641119#c6

Comment 6 Amol K 2019-01-16 12:41:47 UTC
I tested this BZ on 10.5.9-10.el7_6 version.

I tried the steps which are mentioned in #c2. 

- Installation of standalone CA, KRA and OCSP
- Restarted the subsystem and observe the logs.
- Setup selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify=true in subsystem's CS.cfg file. 
- Restarted the subsystem
- I could see that there are different logs after setting selftests.plugin.SystemCertsVerification.FullCAandOCSPVerify=true.

Which is working as expected.

Marking this bug verified.

Comment 9 errata-xmlrpc 2019-01-29 17:21:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.