Cloned from BZ https://bugzilla.redhat.com/show_bug.cgi?id=1039281

We're testing http + mod_nss + "NSSOCSP on" to verify that certificates are revoked. We get the following errors in log file:

-SSL Library Error: -8071 The OCSP server experienced an internal error
-Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

The server works perfectly in ssl mode (NSSOCSP off).

httpd-2.4.6-2.fc18.x86_64
mod_nss-1.0.8-24.fc18.x86_64
ocspd-1.9.0-1.fc18.x86_64
openssl-1.0.1e-30.fc18.x86_64
openssl-libs-1.0.1e-30.fc18.x86_64

Steps to Reproduce:
1. Install mod_nss-1.0.8-24.fc18.x86_64

1. Configure /etc/httpd/conf.d/nss.conf

   ...
   NSSNickname Server-Cert
   NSSCertificateDatabase /etc/httpd/alias
   NSSVerifyClient require
   ...
   NSSOCSP on
   NSSOCSPDefaultResponder on
   NSSOCSPDefaultURL http://192.168.88.132:2560
   NSSOCSPDefaultName ocspd
   ...
   LogLevel nss:trace2
   ...

2. Remove certificates from /etc/httpd/alias nss database

certutil -K -n Server-Cert -d /etc/httpd/alias

certutil -D -n cacert -d /etc/httpd/alias

certutil -D -n alpha -d /etc/httpd/alias

1. Install new certificates for server and ocsp into /etc/httpd/alias nss database: all certificates have been generated with openssl, with "NSSOCSP off" httpd works perfectly in ssl mode, and the ocsp responder answers to openssl command:

openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -cert jose.crt

Response verify OK
jose.crt: good
This Update: Dec 1 06:56:12 2013 GMT
Next Update: Dec 7 14:16:58 2013 GMT

openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -cert fred.crt

Response verify OK
fred.crt: revoked
This Update: Dec 1 06:56:12 2013 GMT
Next Update: Dec 7 14:17:48 2013 GMT
Reason: superseded
Revocation Time: Dec 1 05:41:26 2013 GMT

openssl ocsp -issuer signing-ca.crt -VAfile ocspd.crt -url http://192.168.88.132:2560 -serial 3

Response verify OK
3: revoked
This Update: Dec 1 06:56:12 2013 GMT
Next Update: Dec 7 14:18:36 2013 GMT
Reason: superseded
Revocation Time: Dec 1 05:41:26 2013 GMT

certutil -A -n "signing-ca" -t "CT,," -d /etc/httpd/alias -a -i signing-ca.crt

certutil -A -n "root-ca" -t "CT,," -d /etc/httpd/alias -a -i root-ca.crt

certutil -A -n "ocspd" -t "CT,," -d /etc/httpd/alias -a -i ocspd.crt

openssl pkcs12 -export -in server.crt -inkey server.key -out server.p12 -name "Server-Cert" -passout pass:foo

pk12util -i server.p12 -d /etc/httpd/alias -W foo

certutil -L -d /etc/httpd/nssdb/

Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI

signing-ca CT,,
root-ca CT,,
Server-Cert u,u,u
ocspd CT,,

certutil -K -d /etc/httpd/nssdb/

certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services"
< 0> rsa d7179b5f122c582cefc61b99d7eb9c2f244c1e19 Server-Cert

certutil -O -n Server-Cert -d /etc/httpd/nssdb/

"root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org]

"signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org]

"Server-Cert" [CN=192.168.88.131,OU=Simple Server,O=Simple Inc,DC=simple,DC=org]

certutil -O -n ocspd -d /etc/httpd/alias

"root-ca" [CN=Simple Root CA,OU=Simple Root CA,O=Simple Inc,DC=simple,DC=org]

"signing-ca" [CN=Simple Signing CA,OU=Simple Signing CA,O=Simple Inc,DC=simple,DC=org]

"ocspd" [CN=192.168.88.132,OU=Simple OCSPD,O=Simple Inc,DC=simple,DC=org]

Actual results:

[Sat Dec 07 14:28:55.720062 2013] [:error] [pid 6382:tid 140000995559488] SSL Library Error: -8071 The OCSP server experienced an internal error
[Sat Dec 07 14:28:55.720096 2013] [:error] [pid 6382:tid 140000995559488] Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved.

The server httpd doesn't start.

Expected results:

The server httpd starts and query de ocsp server with answer like:

"SSL Library Error: -8180 Certificate has been revoked"

when the certificate is revoked.