This knowledge base article shows how to troubleshoot the local Timestamp Authority (TSA) server on SSB.
The issue can be caused by various components (eg. incorrect certificate or system resources).
The following error messages can be found in the system logs (local logspace):
tsadaemon[424]: ERROR (root@localhost) Error parsing the timestamp response; status='Rejected.'
syslog-ng[747]: Incomplete TSA response received, TSA HTTP server may be responding slowly; errno='Success (0)', timeout_seconds='30'
- Log in to the core shell.
- Search for tsa issues in the system logs.
Replace DAY with the actual abbreviated weekday name, eg. Mon
grep -e TSA -e tsadaemon messages-DAY
- Check the existence of TSA files
ls -l /etc/ssb/tsa/
- Check the content of the 'tsaserial' file. It has to contain a hexadecimal number. eg. 063D
cat /etc/ssb/tsa/tsaserial
Regenerate the serial file if its empty or has an incorrect content.
echo "01" > /etc/ssb/tsa/tsaserial
systemctl restart tsa
- Check the validity of the certificate
openssl x509 -noout -text -in /etc/ssb/tsa/tsa.crt | grep 'Not After'
The result will show the end date.
Not After : Jan 12 10:25:58 2039 GMT
- Generate a TSA response manually to send the result to support.
Create a request
openssl ts -query -data /etc/passwd -out /tmp/tsareq
Generate TSA respone
openssl ts -reply -config /etc/ssb/openssl-tsa.cnf -queryfile /tmp/tsareq -out /tmp/tsaresp
Generate text output from response
openssl ts -reply -config /etc/ssb/openssl-tsa.cnf -in /tmp/tsaresp -text > /tmp/tsaresp.txt
Upload the generated tsareq, tsaresp and tsaresp.txt from /tmp to the support ticket.
© 2024 One Identity LLC. ALL RIGHTS RESERVED. Terms of Use Privacy Cookie Preference Center