Re: [Openca-ocspd] Building ocspd from files from github

[o h. <oh...@ya...>]

 Hi,
Sorry.  I was re-reading my message below, and I think that the last line was kind of unclear.
What I meant to say with that last line was:
"That seems to suggest that it is at least POSSIBLE, to get an ocspd THAT IS BUILT ON RHEL 6.10, to run on RHEL 6.10?"
Mind you, I don't know *HOW* to do that yet, because the ocspd that I built on RHEL 6.10 segfaults when I run it with any of our CRLs configured (but the ocspd that I built on RHEL 6.10 does work when only the collegeca CRL is configured).
So I am trying to figure out what is different between the collegeca CRL configuration vs. any of my CRL configurations, which is causing ocspd to segfault.  

I have tried running in debug and that doesn't really provide much info (it just segfaults) and also tried running ocspd under strace and again, that doesn't give much additional information.
Thanks,Jim



    On Friday, April 19, 2019, 10:07:05 AM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi,
I think that I posted about this earlier, and that I was able to get ocspd running on a RHEL 6.10 instance, by building libpki and ocspd on a RHEL 7.6 system, and then copying of the libpki folder and the ocspd folder from the RHEL 7.6 system to the target RHEL 6.10 instance and then building "parallel" GLIBC 2.14 on the RHEL 6.10 system and adding that parallel GLIBC 2.14 to the LD_LIBRARY_PATH.
And that ocspd on RHEL 6.10 then seemed to be able to run, including our normal CRL files, etc. in the configuration.
That seems to suggest that it is at least possible to get the ocspd to run on RHEL 6.10?
Jim



    On Thursday, April 18, 2019, 11:24:53 PM UTC, o haya via Openca-ocspd <ope...@li...> wrote:  
 
  Hi,
Do you have any idea about what is causing the segfault?  It seems like the only CRL it works with now is the collegeca one (at least for me).  What is it about the collegeca one that allows it to work?
Thanks,Jim

    On Thursday, April 18, 2019, 4:15:55 PM UTC, o haya <oh...@ya...> wrote:  
 
  [Added the mailing list back into the email... Sorry]


    On Thursday, April 18, 2019, 3:04:24 PM UTC, o haya <oh...@ya...> wrote:  
 
  I ran the ocspd pointing to our configuration and it looks like this is where it is blowing up:
./ocspd -c /apps/oracle/ocspd/etc/ocspd/ocspd.xml -debug -stdout
...

Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:394] [DEBUG] Building CA List
Apr 18 14:57:37 2019 GMT [10335] GENERAL: Processing Configuration for [CA: EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:623] [DEBUG] CRL Downloading Process Started [CA: EntrustCA.crl, URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [config.c:837] [DEBUG] CRL loaded successfully [URL: file:///apps/oracle/crl/golden/EntrustCA.crl]
Apr 18 14:57:37 2019 GMT [10335] INFO: [crl.c:213] [DEBUG] Got the public key from the CA cert [Scheme: RSA, Key Size: 2048]
Segmentation fault (core dumped)






    On Thursday, April 18, 2019, 2:49:28 PM UTC, o haya <oh...@ya...> wrote:  
 
  Hi,
Oh oh... I got the following when I ran ocspd using our normal config files, etc.:
[root@ip-192-168-0-95 init.d]# ./ocspd-bugfixes start
Starting OCSP Responder: ./ocspd-bugfixes: line 39: 10259 Segmentation fault      (core dumped) ${ocspd} -c "${conf}" -d
Error, check logs!


Where do I look for the logs that it is mentioning?

Jim


    On Thursday, April 18, 2019, 10:59:51 AM UTC, Martin Hecht <he...@hl...> wrote:  
 
 Hi Jim,

looks good so far. You still have the example files in the config (the
College ca, Darmouth and example Token configurations, and as far as I
can see you have not configured your own CRL location, ca cert etc.).
At least in my environment it did not work to the point where it sais
"NOTICE: Exiting, Glad to serve you, Master!" in debug mode. It has
crashed earlier, but maybe it's something with loading the certificate
or the crl from file. But maybe you don't run into that problem (e.g.
because your ca uses different algorithms).

Martin


On 4/18/19 12:36 PM, o haya wrote:
>  Hi Martin,
> I applied the patch file to general.h, and I was able to do the make and make install (FYI, I built the libpki and ocspd into /apps/oracle/libpki-bugfixes and /apps/oracle/ocspd-bugfixes, respectively).
>
> Then, I did a test on RHEL 6.10, and I *think* it worked???
>
> Here's the "-debug -stdout" output:
> [orcladmin@ip-192-168-0-95 sbin]$ $ocspd -c $conf -debug -stdout
>
> OpenCA's OCSP Responder - v3.1.2 (Build: Thu Apr 18 10:21:33 UTC 2019)
> (c) 2002-2018 by Massimiliano Pala and OpenCA Project
>     OpenCA licensed software
>
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: OpenCA OCSPD v3.1.2 (Thu Apr 18 10:21:33 UTC 2019)- starting.
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:2574] [DEBUG] ERROR, can not load directory /home/orcladmin/.libpki/profile.d!
> Apr 18 10:31:30 2019 GMT [9346] INFO: [token.c:831] [DEBUG] Can not load profiles (/home/orcladmin/.libpki/profile.d)
>
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file ..
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:866] [DEBUG] Skipping file .
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/collegeca.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:876] [DEBUG] Loading file /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:892] [DEBUG] Loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/ca.d/self-certs.xml file
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/security/chrootDir, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:277] [DEBUG] Selected response digest algorithm: SHA1
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:298] [DEBUG] Selected signature digest algorithm: SHA256
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbUrl, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /serverConfig/general/dbPersistant, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [config.c:394] [DEBUG] Building CA List
> Apr 18 10:31:30 2019 GMT [9346] GENERAL: Processing Configuration for [CA: Dartmouth]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:31:30 2019 GMT [9346] INFO: [pki_socket.c:105] [DEBUG] Creating a SECURE connection (SSL/TLS)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket Connect failed (Unknown host)!
> Apr 18 10:32:33 2019 GMT [9346] ERROR: Socket _Connect failed (Unknown host)
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_socket.c:156] [ERROR] Can not create network connection to collegeca.dartmouth.edu:443
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL []
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: https://collegeca.dartmouth.edu/certs/DartmouthCA.cer, URL: Dartmouth]
> Apr 18 10:32:33 2019 GMT [9346] GENERAL: Processing Configuration for [CA: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /caConfig/caCertValue, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [▒ T]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [config.c:475] [ERROR] Can not get CA cert [CA: etc/ocspd/certs/cacert.pem, URL: MySelf]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:784] [DEBUG] GOT SEARCH PATHS => 1
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:797] [DEBUG] SEARCHING FOR ocspServerToken in dir /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [..]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:696] [DEBUG] Skipping ..
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [eracom.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/eracom.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::Eracom
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:692] [DEBUG] Processing file [software.xml]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:710] [DEBUG] Opening File /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:722] [DEBUG] Getting Name Param...
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:728] [DEBUG] Got Name::ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:736] [DEBUG] File successfully loaded /apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d/software.xml
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:801] [DEBUG] FOUND => ocspServerToken [/apps/oracle/ocspd-bugfixes/etc/ocspd/pki/token.d]
> Apr 18 10:32:33 2019 GMT [9346] INFO: [pki_config.c:412] [DEBUG] Element Not Found [Search: /tokenConfig/password, Position: -1]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [pki_x509_io.c:227] Null Memory Pointer => No data returned from URL [ ▒R]
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:692] Can not load Token certificate
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [token.c:839] Can not load Token's Profile => ocspServerToken
> Apr 18 10:32:33 2019 GMT [9346] ERROR: [core.c:42] [ERROR] Can not load default token (/apps/oracle/ocspd-bugfixes/etc/ocspd/ocspd.xml/ocspServerToken)
> Apr 18 10:32:33 2019 GMT [9346] NOTICE: Exiting, Glad to serve you, Master!
> [orcladmin@ip-192-168-0-95 sbin]$
>
>
>
> When I ran the test.sh:
> [orcladmin@ip-192-168-0-95 bin]$ ./test.sh
>
> OCSP Test Script
> (c) 2006 by Massimiliano Pala and OpenCA Team
>
> Test 78 requests (serial 123):
> [111111111111111111111111111111111111111111111111111111111111111111111111111111
> real    0m0.255s
> user    0m0.149s
> sys     0m0.035s
> ]
>
>
> Does that look all right?  I mean is the ocspd-bugfixes look like it is working?
>
>
>
>
> Jim
>
        _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd
  _______________________________________________
Openca-ocspd mailing list
Ope...@li...
https://lists.sourceforge.net/lists/listinfo/openca-ocspd