Learn how easy it is to sync an existing GitHub or Google Code repo to a SourceForge project! See Demo

Close

error when testing OCSP

rama
2013-04-28
2013-04-29
  • rama
    rama
    2013-04-28

    HI,

    I installed OCSP succesfully but When i tried to test it , this error occurs :

    2013-04-28 16:49:23,254 WARN [org.ejbca.version.log] (main) Init, EJBCA 4.0.12 (r15355) OCSP startup
    2013-04-28 16:49:23,254 INFO [org.ejbca.core.protocol.ocsp.standalonesession.StandAloneSession] (main) Key renewal is not enabled.
    2013-04-28 16:49:23,270 INFO [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (main) No card password specified.
    2013-04-28 16:49:23,770 WARN [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (main) You have not specified ocsp.p11.p11password at build time. So you need to do a manual activation.
    2013-04-28 16:49:23,879 ERROR [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (main) No valid keys. Key directory C:\Users\ejbca\Desktop\repinstall\jboss-5.1.0.GA-jdk6\jboss-5.1.0.GA\bin\keys. No P11 defined.
    2013-04-28 16:49:23,911 INFO [org.apache.coyote.http11.Http11Protocol] (main) D�marrage de Coyote HTTP/1.1 sur http-0.0.0.0-8080
    2013-04-28 16:49:23,911 INFO [org.apache.coyote.ajp.AjpProtocol] (main) Starting Coyote AJP/1.3 on ajp-127.0.0.1-8009
    2013-04-28 16:49:23,911 INFO [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)] Started in 26s:123ms
    2013-04-28 16:49:40,222 INFO [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) No card password specified.
    2013-04-28 16:49:40,722 WARN [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) You have not specified ocsp.p11.p11password at build time. So you need to do a manual activation.
    2013-04-28 16:49:40,722 ERROR [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) No valid keys. Key directory C:\Users\ejbca\Desktop\repinstall\jboss-5.1.0.GA-jdk6\jboss-5.1.0.GA\bin\keys. No P11 defined.
    2013-04-28 16:49:40,722 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Received OCSP request for certificate with serNo: 3e797bf6b6bd52c9, and issuerNameHash: 144be2b144af122a9622fcb48c4daf0bdf7dc669. Client ip 192.168.5.107.
    2013-04-28 16:49:40,753 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Unable to find CA certificate by issuer name hash: 144be2b144af122a9622fcb48c4daf0bdf7dc669, or even the default responder: CN=test-AD-CA,O=EJBCA Sample,C=SE.
    2013-04-28 16:49:40,753 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Unable to find CA certificate and key to generate OCSP response.
    2013-04-28 16:49:40,753 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Error processing OCSP request. Message: Unable to find CA certificate and key to generate OCSP response..
    javax.servlet.ServletException: Unable to find CA certificate and key to generate OCSP response.
    at org.ejbca.ui.web.protocol.OCSPServletBase.serviceOCSP(OCSPServletBase.java:942)
    at org.ejbca.ui.web.protocol.OCSPServletBase.doPost(OCSPServletBase.java:380)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:637)
    at javax.servlet.http.HttpServlet.service(HttpServlet.java:717)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:290)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.jboss.web.tomcat.filters.ReplyHeaderFilter.doFilter(ReplyHeaderFilter.java:96)
    at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:235)
    at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:206)
    at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:235)
    at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:191)
    at org.jboss.web.tomcat.security.SecurityAssociationValve.invoke(SecurityAssociationValve.java:190)
    at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:433)
    at org.jboss.web.tomcat.security.JaccContextValve.invoke(JaccContextValve.java:92)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.process(SecurityContextEstablishmentValve.java:126)
    at org.jboss.web.tomcat.security.SecurityContextEstablishmentValve.invoke(SecurityContextEstablishmentValve.java:70)
    at org.apache.catalina.core.StandardHostValve.invoke(StandardHostValve.java:127)
    at org.apache.catalina.valves.ErrorReportValve.invoke(ErrorReportValve.java:102)
    at org.jboss.web.tomcat.service.jca.CachedConnectionValve.invoke(CachedConnectionValve.java:158)
    at org.apache.catalina.core.StandardEngineValve.invoke(StandardEngineValve.java:109)
    at org.apache.catalina.connector.CoyoteAdapter.service(CoyoteAdapter.java:330)
    at org.apache.coyote.http11.Http11Processor.process(Http11Processor.java:829)
    at org.apache.coyote.http11.Http11Protocol$Http11ConnectionHandler.process(Http11Protocol.java:598)
    at org.apache.tomcat.util.net.JIoEndpoint$Worker.run(JIoEndpoint.java:447)
    at java.lang.Thread.run(Thread.java:662)

     
  • Mike Kushner
    Mike Kushner
    2013-04-29

    Hi Rama,
    This is most likely because you haven't set the value ocsp.defaultresponder to a valid CA in ocsp.properties. You are making a request for an unknown CA, and EJBCA is trying and failing to sign that response.

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions


    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/


     
  • rama
    rama
    2013-04-29

    Hi again,
    actually the value ocsp.defaultresponder is set to a valid CA in ocsp.properties in both the EJBCA machine whith Ip :192.168.5.107 and Ocsp machine with IP:192.168.5.102

    and I checked the database of OCSP , it contains one row which is the Ca certificate .

    I don't understand ,please help me :)

     
  • Mike Kushner
    Mike Kushner
    2013-04-29

    Are you 100% sure you've set the correct DN for the CA certificate for ocsp.defaultresponder?

    Cheers,
    Mike Kushner
    Developer, Primekey Solutions
    PrimeKey Solutions offers commercial EJBCA and SignServer support
    subscriptions and training courses. Please see www.primekey.se or
    contact info@primekey.se for more information.
    http://www.primekey.se/Services/Support/
    http://www.primekey.se/Services/Training/

     
  • rama
    rama
    2013-04-29

    yes actually 1000% , it is 'CN=test-AD-CA , O=EJBCA Sample , C=SE'

    and this certificate exist in the OCSP database , I have already checked , and this is my log after another trial .

    2013-04-29 10:35:47,019 ERROR [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (main) No valid keys. Key directory C:\Users\ejbca\Desktop\repinstall\jboss-5.1.0.GA-jdk6\jboss-5.1.0.GA\bin\keys. No P11 defined.
    2013-04-29 10:35:47,050 INFO [org.apache.coyote.http11.Http11Protocol] (main) D�marrage de Coyote HTTP/1.1 sur http-0.0.0.0-8080
    2013-04-29 10:35:47,066 INFO [org.apache.coyote.ajp.AjpProtocol] (main) Starting Coyote AJP/1.3 on ajp-127.0.0.1-8009
    2013-04-29 10:35:47,066 INFO [org.jboss.bootstrap.microcontainer.ServerImpl] (main) JBoss (Microcontainer) [5.1.0.GA (build: SVNTag=JBoss_5_1_0_GA date=200905221634)] Started in 26s:917ms
    2013-04-29 10:38:05,010 INFO [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) No card password specified.
    2013-04-29 10:38:05,510 WARN [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) You have not specified ocsp.p11.p11password at build time. So you need to do a manual activation.
    2013-04-29 10:38:05,510 WARN [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) Signing certificate with serial number 41BFEF9C6CD17DBE from issuer CN=test-AD-CA,O=EJBCA Sample,C=SE can not be found in database (signing- and CA-certs must be published to OCSP responder).
    2013-04-29 10:38:05,526 WARN [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) Signing certificate with serial number 41BFEF9C6CD17DBE from issuer CN=test-AD-CA,O=EJBCA Sample,C=SE can not be found in database (signing- and CA-certs must be published to OCSP responder).
    2013-04-29 10:38:05,526 ERROR [org.ejbca.core.protocol.ocsp.standalonesession.SigningEntityContainer] (http-0.0.0.0-8080-1) No valid keys. Key directory C:\Users\ejbca\Desktop\repinstall\jboss-5.1.0.GA-jdk6\jboss-5.1.0.GA\bin\keys. No P11 defined.
    2013-04-29 10:38:05,526 INFO [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Received OCSP request for certificate with serNo: 3e797bf6b6bd52c9, and issuerNameHash: 144be2b144af122a9622fcb48c4daf0bdf7dc669. Client ip 192.168.5.107.
    2013-04-29 10:38:05,541 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Unable to find CA certificate by issuer name hash: 144be2b144af122a9622fcb48c4daf0bdf7dc669, or even the default responder: CN=test-AD-CA,O=EJBCA Sample,C=SE.
    2013-04-29 10:38:05,541 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Unable to find CA certificate and key to generate OCSP response.
    2013-04-29 10:38:05,541 ERROR [org.ejbca.ui.web.protocol.OCSPServletBase] (http-0.0.0.0-8080-1) Error processing OCSP request. Message: Unable to find CA certificate and key to generate OCSP response..
    javax.servlet.ServletException: Unable to find CA certificate and key to generate OCSP response.