-
Notifications
You must be signed in to change notification settings - Fork 177
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Asking Help about the OCSP Configuration #197
Comments
Have you checked that the OCSP responder and Security Server host system clocks are in sync? If the clocks are not in sync it could cause the system to behave so that the authentication certificate is not valid all the time, because the OCSP response is not valid. An OCSP response is considered invalid if:
You should check your OCSP reponder's configuration - how often new OCSP responses are published and for how long they're valid, and update the X-Road configuration accordingly. In case your OCSP responder is CRL based, the values depend on the CRL update interval. Best regards, |
Dear @petkivim , Best Regards, |
Dear @petkivim , Best Regards, |
The problem is that the OCSP response returned by the OCSP responder is considered too old by the Security Server. As explained above, the OCSP response cannot be more than 60 minutes old. The problem can be fixed increasing the value of Best regards, |
Dear @petkivim , Right now it works. Do you know when OCSP-response refresh cycle started? Best Regards, |
The very first line of the signer log shows that fetching OCSP responses failed for some reason. When fetching OCSP responses fails, the Security Server starts a recovery algorithm - it tries to fetch OCSP responses once in a minute until the operation succeeds and returns back to the normal schedule after that (which is every 20 minutes by default). However, the root cause of your problem and how to fix it is explained in my previous comment. Best regards, |
Dear @petkivim Thank you so much. I will try to check it. Best Regards, |
Dear @petkivim ,
On Saturday it works well and right now I have an error with Security server has no valid authentication certificate. Do you have any tips to make it more stable?
Best Regards,
Dara Penhchet
The text was updated successfully, but these errors were encountered: