Comments (7)
petkivim
commented on May 19, 2024
Have you checked that the OCSP responder and Security Server host system clocks are in sync? If the clocks are not in sync it could cause the system to behave so that the authentication certificate is not valid all the time, because the OCSP response is not valid.
An OCSP response is considered invalid if:
- it is older than the time period defined by the
ocspFreshnessSeconds(by default 60 minutes) - if the OCSP response was issued over 60 minutes ago (thisUpdatewas over 60 minutes ago), it is considered invalid by the Security Server. It is possible to increase theocspFreshnessSecondsvalue. Instructions. - the
nextUpdatevalue in the OCSP response is in the past. It is possible to disable the verification of thenextUpdatevalue on the Security Server. Instructions.
You should check your OCSP reponder's configuration - how often new OCSP responses are published and for how long they're valid, and update the X-Road configuration accordingly. In case your OCSP responder is CRL based, the values depend on the CRL update interval.
Best regards,
Petteri
from x-road.
darapenhchet
commented on May 19, 2024
Dear @petkivim ,
Thank you so much for your help. It works now and I will check the OCSP Responder's configuration.
Best Regards,
Dara Penhchet
from x-road.
darapenhchet
commented on May 19, 2024
Dear @petkivim ,
I have checked the log already. it check the OCSP with every 20 minutes and after that it said the OCSP Response is too old. Do you have any ideas about this problem?
Best Regards,
Dara Penhchet
from x-road.
petkivim
commented on May 19, 2024
The problem is that the OCSP response returned by the OCSP responder is considered too old by the Security Server. As explained above, the OCSP response cannot be more than 60 minutes old. thisUpdate field of the OCSP response contains the date/time when the response was issued. Based on the log the OCSP response was issued at Wed Sep 18 03:29:19 ICT 2019. When the OCSP check runs at 2019-09-18 04:45:44:143 the difference between the execution date/time and thisUpdate field value is over 60 minutes.
The problem can be fixed increasing the value of ocspFreshnessSeconds setting on the Central Server (instructions). However, to be able the set the value right, you must first check 1) how often new OCSP responses are issued and 2) for how long an OCSP response is valid. Then you must adjust the ocspFreshnessSeconds value accordingly.
Best regards,
Petteri
from x-road.
darapenhchet
commented on May 19, 2024
Dear @petkivim ,
Right now it works. Do you know when OCSP-response refresh cycle started?
Best Regards,
Dara Penhchet
from x-road.
petkivim
commented on May 19, 2024
The very first line of the signer log shows that fetching OCSP responses failed for some reason. When fetching OCSP responses fails, the Security Server starts a recovery algorithm - it tries to fetch OCSP responses once in a minute until the operation succeeds and returns back to the normal schedule after that (which is every 20 minutes by default). However, the root cause of your problem and how to fix it is explained in my previous comment.
Best regards,
Petteri
from x-road.
darapenhchet
commented on May 19, 2024
Dear @petkivim
Thank you so much. I will try to check it.
Best Regards,
from x-road.
Related Issues (20)
- Ubuntu package 'xroad-base': logic error in 'xroad-base.preinst' HOT 2
- Problem with calling rest service between security Server 1 and Security Server 2 HOT 2
- Error in setting up the TESTCA HOT 3
- Unexpected error writing large object to database. Server.ClientProxy.IOError: LoggingFailed.InternalError: Future timed out after [120 seconds] HOT 5
- Need help in member registration of SS to CS HOT 21
- How to add a new security server in the x-road ecosystem HOT 8
- wrong key usage HOT 2
- Server DNS nane (CN) HOT 4
- expose IP containers HOT 2
- Connect a security server to the central server HOT 3
- Register Auth Cert in Central Server HOT 4
- Change security server ip HOT 12
- I found this tiny typo :) Just wanted to let you know... HOT 1
- As an Ansible user I would like the roles to be in separate repostiories as done usually for Ansible Roles HOT 3
- environment configuration HOT 4
- Support for OpenAPI 3.1 HOT 1
- Required field 'protocolVersion' is missing HOT 6
- Xroad Security Server HOT 1
- X-Road Setup and configuration step by step HOT 3
- X-road issue with building containers (ansible) HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from x-road.