Skip to content

Start up self test fails with "Invalid certificate: (-8071)" error for KRA, TKS & TPS when enableOCSP="true" in shared tomcat instance #5245

New issue
New issue
Open
Open
Start up self test fails with "Invalid certificate: (-8071)" error for KRA, TKS & TPS when enableOCSP="true" in shared tomcat instance#5245
@tayloredherring

Description

@tayloredherring
tayloredherring
opened on Dec 10, 2025

Summary:

The SystemCertsVerification self test fails for KRA, TKS and TPS when enableOCSP="true" in shared tomcat server.xml following an instance restart with the below error:

0.main - [10/Dec/2025:16:15:52 EST] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate: (-8071) The OCSP server experienced an internal error.
0.main - [10/Dec/2025:16:15:52 EST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!

This results in those subsystems being disabled with the self test failure in the order: TKS -> KRA -> TPS

Build:

OS: Fedora release 43 (Forty Three)
dogtag-pki-11.9.0~alpha1^20251210110404.d1fa6394-1.fc43.x86_64
dogtag-pki-tests-11.9.0~alpha1^20251210110404.d1fa6394-1.fc43.noarch
dogtag-pki-server-11.9.0~alpha1^20251210110404.d1fa6394-1.fc43.noarch
dogtag-jss-tools-5.9.0~alpha1^20251201170356.676f1167-1.fc43.x86_64
COPR: @pki/master

Steps to reproduce:

  1. Install DS. Spawn CA, OCSP, KRA, TKS & TPS instances on a shared tomcat instance (i.e. topology-01)

  2. In tomcat server.xml file secure connector section, if not already set, change ocspResponderCertNickname to the same value as CA's OCSP Signing nickname as named in the alias NSSDB

# certutil -d /var/lib/pki/pki-tomcat/alias/ -L | grep ocspSigningCert
ocspSigningCert cert-pki-tomcat CA                           u,u,u
ocspSigningCert cert-pki-tomcat OCSP                         u,u,u

*In this example: ocspResponderCertNickname="ocspSigningCert cert-pki-tomcat CA"

  1. Also in the same section, set enableOCSP="true"

  2. Restart the instance

# pki-server restart pki-tomcat

Expected Result:

SystemCertsVerification self tests will pass for all subsystems and they will successfully start up

Actual Result:

Self test logs show failures for KRA, TKS and TPS:

tail -f /var/log/pki/pki-tomcat/*/selftests*
==> /var/log/pki/pki-tomcat/ca/selftests.log <==
0.main - [10/Dec/2025:16:05:15 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters
0.main - [10/Dec/2025:16:05:15 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instances
0.main - [10/Dec/2025:16:05:15 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters
0.main - [10/Dec/2025:16:05:15 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order
0.main - [10/Dec/2025:16:05:15 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order
0.main - [10/Dec/2025:16:05:15 EST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.main - [10/Dec/2025:16:05:16 EST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.main - [10/Dec/2025:16:05:16 EST] [20] [1] CAPresence:  CA is present
0.main - [10/Dec/2025:16:05:16 EST] [20] [1] SystemCertsVerification: system certs verification success
0.main - [10/Dec/2025:16:05:16 EST] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!

==> /var/log/pki/pki-tomcat/kra/selftests.log <==
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem: Initializing self test plugins:
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instances
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.main - [10/Dec/2025:16:06:36 EST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.main - [10/Dec/2025:16:07:36 EST] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate: (-8071) The OCSP server experienced an internal error.
0.main - [10/Dec/2025:16:07:36 EST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!

==> /var/log/pki/pki-tomcat/ocsp/selftests.log <==
0.main - [10/Dec/2025:16:04:59 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters
0.main - [10/Dec/2025:16:04:59 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instances
0.main - [10/Dec/2025:16:04:59 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters
0.main - [10/Dec/2025:16:04:59 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order
0.main - [10/Dec/2025:16:04:59 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order
0.main - [10/Dec/2025:16:04:59 EST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.main - [10/Dec/2025:16:05:02 EST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.main - [10/Dec/2025:16:05:02 EST] [20] [1] OCSPPresence:  OCSP is present
0.main - [10/Dec/2025:16:05:03 EST] [20] [1] SystemCertsVerification: system certs verification success
0.main - [10/Dec/2025:16:05:03 EST] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!

==> /var/log/pki/pki-tomcat/tks/selftests.log <==
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem: Initializing self test plugins:
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instances
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.main - [10/Dec/2025:16:05:23 EST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.main - [10/Dec/2025:16:06:23 EST] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate: (-8071) The OCSP server experienced an internal error.
0.main - [10/Dec/2025:16:06:23 EST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!

==> /var/log/pki/pki-tomcat/tps/selftests.log <==
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin logger parameters
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instances
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem:  loading all self test plugin instance parameters
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in on-demand order
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem:  loading self test plugins in startup order
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
0.main - [10/Dec/2025:16:07:46 EST] [20] [1] TPSPresence:  TPS is present
0.main - [10/Dec/2025:16:08:46 EST] [20] [1] SystemCertsVerification: system certs verification failure: Invalid certificate: (-8071) The OCSP server experienced an internal error.
0.main - [10/Dec/2025:16:08:46 EST] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!

After some time, the KRA, TKS and TPS subsystems show a disabled status:

# pki-server subsystem-find
-----------------
5 entries matched
-----------------
  Subsystem ID: ca
  Instance ID: pki-tomcat
  Enabled: True

  Subsystem ID: kra
  Instance ID: pki-tomcat
  Enabled: False

  Subsystem ID: ocsp
  Instance ID: pki-tomcat
  Enabled: True

  Subsystem ID: tks
  Instance ID: pki-tomcat
  Enabled: False

  Subsystem ID: tps
  Instance ID: pki-tomcat
  Enabled: False

Additional Info:

The workaround is to manually enable each disabled subsystem one by one:

# pki-server subsystem-enable kra
# sleep 15
# pki-server subsystem-enable tks
# sleep 15
# pki-server subsystem-enable tps

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions