Error after enabling OCSP when setting up new EJBCA instance

[Credentive-Sec]

After running the following commands (from here: https://doc.primekey.com/ejbca/ejbca-installation/application-servers/wildfly-26#WildFly26-EnableOCSPRevocationChecking)
/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/trust-manager=httpsTM:write-attribute(name=ocsp, value={})' /opt/wildfly/bin/jboss-cli.sh --connect ':reload'

I assume that this error is related to the built in crypto provider. Should I have installed BC at some point before enabling this?

The whole install process falls apart after this.

2023-01-10 14:11:19,419 ERROR [org.jboss.msc.service.fail] (MSC service thread 1-4) MSC000001: Failed to start service org.wildfly.security.trust-manager.httpsTM: org.jboss.msc.service.StartException in service org.wildfly.security.trust-manager.httpsTM: Failed to start service at [email protected]//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1731) at [email protected]//org.jboss.msc.service.ServiceControllerImpl$ControllerTask.run(ServiceControllerImpl.java:1559) at [email protected]//org.jboss.threads.ContextClassLoaderSavingRunnable.run(ContextClassLoaderSavingRunnable.java:35) at [email protected]//org.jboss.threads.EnhancedQueueExecutor.safeRun(EnhancedQueueExecutor.java:1990) at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.doRunTask(EnhancedQueueExecutor.java:1486) at [email protected]//org.jboss.threads.EnhancedQueueExecutor$ThreadBody.run(EnhancedQueueExecutor.java:1377) at java.base/java.lang.Thread.run(Thread.java:829) Caused by: java.lang.IllegalStateException: ELY04031: TrustManagerFactory algorithm [PKIX] does not support certificate revocation at [email protected]//org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:122) at [email protected]//org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:64) at [email protected]//org.wildfly.security.ssl.X509RevocationTrustManager$Builder.build(X509RevocationTrustManager.java:343) at [email protected]//org.wildfly.extension.elytron.SSLDefinitions$2.lambda$createX509RevocationTrustManager$1(SSLDefinitions.java:859) at [email protected]//org.wildfly.extension.elytron.TrivialService.start(TrivialService.java:61) at [email protected]//org.jboss.msc.service.ServiceControllerImpl$StartTask.startService(ServiceControllerImpl.java:1739) at [email protected]//org.jboss.msc.service.ServiceControllerImpl$StartTask.execute(ServiceControllerImpl.java:1701) ... 6 more Caused by: java.security.InvalidAlgorithmParameterException: the trustAnchors parameter must be non-empty at java.base/java.security.cert.PKIXParameters.setTrustAnchors(PKIXParameters.java:200) at java.base/java.security.cert.PKIXParameters.<init>(PKIXParameters.java:157) at java.base/java.security.cert.PKIXBuilderParameters.<init>(PKIXBuilderParameters.java:130) at [email protected]//org.wildfly.security.ssl.X509RevocationTrustManager.<init>(X509RevocationTrustManager.java:74) ... 12 more

[Credentive-Sec]

I was able to get back on track with the following command:

/opt/wildfly/bin/jboss-cli.sh --connect '/subsystem=elytron/trust-manager=httpsTM:undefine-attribute(name=ocsp)'

[primetomas]

That optional configuration I think should not be done until after the installation is up and running. But, I don't think it's about BC provider, the classes are java.security.cert.
I haven't tried this command myself actually. Are you using Java 11?
The message "the trustAnchors parameter must be non-empty" makes me believe some parameter is missing, but that's more a guess.

[Credentive-Sec]

root@online-ca:~# java -version
openjdk version "11.0.17" 2022-10-18
OpenJDK Runtime Environment (build 11.0.17+8-post-Ubuntu-1ubuntu2)
OpenJDK 64-Bit Server VM (build 11.0.17+8-post-Ubuntu-1ubuntu2, mixed mode, sharing)

[Credentive-Sec]

Still working through the process, but trying to identify precisely why it's going off track. Thanks for the tip on the OCSP config.