#1540 Publishing CRL's to OCSP of another security Domain fails with error "Peer does not recognize and trust the CA that issued your certificate"
Closed: Invalid None Opened 8 years ago by mrniranjan.

I have 2 hosts where

host1: pki2.example.org has following subsystems:

CA,KRA,OCSP ,

host2: pki3.example.org has CA belonging to a different security Domain

Configured publishing on pki3 to publish crls to OCSP

ca.publish.publisher.instance.ocsp1.enableClientAuth=true
ca.publish.publisher.instance.ocsp1.host=pki2.example.org
ca.publish.publisher.instance.ocsp1.nickName=subsystemCert cert-Foobar1-CA
ca.publish.publisher.instance.ocsp1.path=/ocsp/agent/ocsp/addCRL
ca.publish.publisher.instance.ocsp1.pluginName=OCSPPublisher
ca.publish.publisher.instance.ocsp1.port=14444

A user was created on OCSP instance with subsystem certificate of CA belonging
to host2

Also CA of host2 was added through the OCSP Agent Interface

when publishing CRL's from host2 to OCSP on host1, it fails with error:

[05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: OCSPPublisher:
Host='pki2.example.org' Port='14444' URL='/ocsp/agent/ocsp/addCRL'
[05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: OCSPPublisher: publish
failed org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-12195) Peer does not recognize and trust the CA that issued your certificate.
[05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: CRL published.
[05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: findNextUpdate:
fromLastUpdate: true  delta: false
[05/Aug/2015:02:07:47][CRLIssuingPoint-MasterCRL]: findNextUpdate:  Wed Aug 05
05:00:00 EDT 2015  delay: 10332867
[05/Aug/2015:02:11:08][Timer-0]: In LdapBoundConnFactory::getConn()

Note: All the above subsystems are configured with ECC

Steps to Reproduce:

1. Configure CA1 and OCSP1 subsystem with ECC on Host1
2. Configure CA2 with ECC on host2
3. Configure Publishing on CA2 to publish CRL's to OCSP1
4. Add CA2 CA cert to OCSP1

Actual results:

CRL publishing fails,

Expected results:

CRL publishing should succeed

Additional info:

Host1 , CA1's instance configuration file:

[DEFAULT]
pki_instance_name=example-ecc-ca1
pki_https_port=8443
pki_http_port=8080

#NSS DB Token Password
pki_token_password=Secret123

#Admin Password
pki_admin_password=Secret123
pki_admin_keysize=nistp256
pki_admin_key_type=ecc
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki2.example.org
pki_security_domain_name=Example Org
pki_security_domain_password=Secret123

#client Dir
pki_client_dir=/opt/example-ecc-ca1
pki_client_pkcs12_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

[Tomcat]
pki_ajp_port=8009
pki_tomcat_server_port=8005

[CA]
pki_import_admin_cert=False
pki_ca_signing_key_type=ecc
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ca_signing_subject_dn=cn=CA Signing
Certificate3,o=%(pki_security_domain_name)s
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_subject_dn=cn=OCSP Signing
Certificate3,o=%(pki_security_domain_name)s
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_subject_dn=cn=CA Audit Signing
Certificate3,o=%(pki_security_domain_name)s
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp256
pki_ssl_server_key_algorithm=SHA256withEC
pki_ssl_server_signing_algorithm=SHA256withEC
pki_ssl_server_nickname=Server-Cert cert-pki-Foobar1-ca3
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_subsystem_subject_dn=cn=Subsystem
Certificate3,o=%(pki_security_domain_name)s
pki_subsystem_nickname=subsystemCert cert-%(pki_instance_name)s
pki_ds_hostname=localhost
pki_ds_ldap_port=389
pki_ds_password=Secret123

OCSP1 Instance configuration file




[DEFAULT]
pki_instance_name=example-ecc-ocsp1
pki_https_port=14443
pki_http_port=14080

#NSS DB Token Password
pki_token_password=Secret123

#OCSP Admin password
pki_admin_password=Secret123
pki_admin_keysize=nistp256
pki_admin_key_type=ecc
pki_admin_password=Secret123

# Security Domain
pki_security_domain_hostname=pki2.example.org
pki_security_domain_https_port=8443
pki_security_domain_user=caadmin
pki_security_domain_password=Secret123

#Client Dir
pki_client_dir=/opt/example-ecc-ocsp1
pki_client_pkcs12_password=Secret123
pki_client_database_password=Secret123

# backup
pki_backup_keys=True
pki_backup_password=Secret123



[Tomcat]
pki_ajp_port=14009
pki_tomcat_server_port=14005

[OCSP]
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_ocsp_signing_key_type=rsa
pki_ocsp_signing_key_size=2048
pki_ocsp_signing_key_algorithm=SHA256withRSA
pki_ocsp_signing_signing_algorithm=SHA256withRSA
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp256
pki_ssl_server_key_algorithm=SHA256withEC
pki_ssl_server_signing_algorithm=SHA256withEC
pki_import_admin_cert=False
pki_issuing_ca_uri=https://pki2.example.org:8443
pki_ds_hostname=localhost
pki_ds_ldap_port=2389
pki_ds_bind_dn=cn=Directory Manager
pki_ds_password=Secret123
pki_ds_secure_connection=False


CA2 Instance configuration file

[DEFAULT]
pki_instance_name=Foobar1-CA
pki_https_port=8443
pki_http_port=8080

#NSS DB Token Password
pki_token_password=Secret123

#Admin Password
pki_admin_dualkey=True
pki_admin_keysize=nistp256
pki_admin_key_type=ecc
pki_admin_password=Secret123

#Security Domain
pki_hostname=pki3.example.org
pki_security_domain_name=Foobar.org
pki_security_domain_password=Secret123

#client Dir
pki_client_dir=/opt/Foobar1-CA
pki_client_pkcs12_password=Secret123

#Backup
pki_backup_keys=True
pki_backup_password=Secret123

[Tomcat]
pki_ajp_port=8009
pki_tomcat_server_port=8005

[CA]
pki_admin_nickname=PKI Administrator for Foobar Org
pki_import_admin_cert=False
pki_ca_signing_key_type=ecc
pki_ca_signing_key_size=nistp256
pki_ca_signing_key_algorithm=SHA256withEC
pki_ca_signing_signing_algorithm=SHA256withEC
pki_ocsp_signing_key_type=ecc
pki_ocsp_signing_key_size=nistp256
pki_ocsp_signing_key_algorithm=SHA256withEC
pki_ocsp_signing_signing_algorithm=SHA256withEC
pki_audit_signing_key_type=rsa
pki_audit_signing_key_size=2048
pki_audit_signing_key_algorithm=SHA256withRSA
pki_audit_signing_signing_algorithm=SHA256withRSA
pki_ssl_server_key_type=ecc
pki_ssl_server_key_size=nistp256
pki_ssl_server_key_algorithm=SHA256withEC
pki_ssl_server_signing_algorithm=SHA256withEC
pki_ssl_server_nickname=Server-Cert cert-pki-RootCA
pki_subsystem_key_type=ecc
pki_subsystem_key_size=nistp256
pki_subsystem_key_algorithm=SHA256withEC
pki_subsystem_signing_algorithm=SHA256withEC
pki_ds_hostname=localhost
pki_ds_ldap_port=389
pki_ds_password=Secret123

per today's meeting, this is not an expected scenario. close won't fix.

Metadata Update from @mrniranjan:
- Issue set to the milestone: 10.2.6

7 years ago

Dogtag PKI is moving from Pagure issues to GitHub issues. This means that existing or new
issues will be reported and tracked through Dogtag PKI's GitHub Issue tracker.

This issue has been cloned to GitHub and is available here:
https://github.com/dogtagpki/pki/issues/2099

If you want to receive further updates on the issue, please navigate to the
GitHub issue and click on Subscribe button.

Thank you for understanding, and we apologize for any inconvenience.

Login to comment on this ticket.

Metadata