Cloned from BZ https://bugzilla.redhat.com/show_bug.cgi?id=1039281
We're testing http + mod_nss + "NSSOCSP on" to verify that certificates are revoked. We get the following errors in log file:
-SSL Library Error: -8071 The OCSP server experienced an internal error -Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
The server works perfectly in ssl mode (NSSOCSP off).
httpd-2.4.6-2.fc18.x86_64 mod_nss-1.0.8-24.fc18.x86_64 ocspd-1.9.0-1.fc18.x86_64 openssl-1.0.1e-30.fc18.x86_64 openssl-libs-1.0.1e-30.fc18.x86_64
Steps to Reproduce: 1. Install mod_nss-1.0.8-24.fc18.x86_64
Configure /etc/httpd/conf.d/nss.conf
... NSSNickname Server-Cert NSSCertificateDatabase /etc/httpd/alias NSSVerifyClient require ... NSSOCSP on NSSOCSPDefaultResponder on NSSOCSPDefaultURL http://192.168.88.132:2560 NSSOCSPDefaultName ocspd ... LogLevel nss:trace2 ...
Remove certificates from /etc/httpd/alias nss database
Response verify OK jose.crt: good This Update: Dec 1 06:56:12 2013 GMT Next Update: Dec 7 14:16:58 2013 GMT
Response verify OK fred.crt: revoked This Update: Dec 1 06:56:12 2013 GMT Next Update: Dec 7 14:17:48 2013 GMT Reason: superseded Revocation Time: Dec 1 05:41:26 2013 GMT
Response verify OK 3: revoked This Update: Dec 1 06:56:12 2013 GMT Next Update: Dec 7 14:18:36 2013 GMT Reason: superseded Revocation Time: Dec 1 05:41:26 2013 GMT
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
signing-ca CT,, root-ca CT,, Server-Cert u,u,u ocspd CT,,
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa d7179b5f122c582cefc61b99d7eb9c2f244c1e19 Server-Cert
"root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org]
"signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org]
"Server-Cert" [CN=192.168.88.131,OU=Simple Server,O=Simple Inc,DC=simple,DC=org]
"ocspd" [CN=192.168.88.132,OU=Simple OCSPD,O=Simple Inc,DC=simple,DC=org]
Actual results:
[Sat Dec 07 14:28:55.720062 2013] [:error] [pid 6382:tid 140000995559488] SSL Library Error: -8071 The OCSP server experienced an internal error [Sat Dec 07 14:28:55.720096 2013] [:error] [pid 6382:tid 140000995559488] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.
The server httpd doesn't start.
Expected results:
The server httpd starts and query de ocsp server with answer like:
"SSL Library Error: -8180 Certificate has been revoked"
when the certificate is revoked.
Login to comment on this ticket.