[Freeipa-users] mastercrl.bin very old

Natxo Asenjo natxo.asenjo at gmail.com
Mon Nov 3 12:07:23 UTC 2014


hi,

I have been really busy, apologies for the delay in answering.

On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Natxo Asenjo wrote:
>> On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>>> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
>>> still get the old crl dated june 28th last year.
>>>
>>> Should I modify ipa-pki-proxy.conf as well on the CRL generator host
>>> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>>> as well?
>>
>> This morning the /ipa/crl dir still had the lists of 28th June 2013 in
>> the crl generator host. In my test environment running centos 7 the
>> files get updated, so I think a process is nut running. But which one?
>>
>> Going to the /ca/ee/ca/getCRL?op=getCRL&
>> crlIssuingPoint=MasterCRL gives me the up to date CRL.
>>
>> --
>> Groeten,
>> natxo
>>
>
> To enable CRL generation you need these set:
>
> ca.crl.MasterCRL.enableCRLCache=false
> ca.crl.MasterCRL.enableCRLUpdates=false

ok, this is in the host holding the CRL, right? (in my case kdc01, the
first one). I followed the guide in
http://www.freeipa.org/page/CVE-2012-4546 where in point 2a of manual
instructions you can read true. I have changed that now. to false and
restarted the pki-cad daemon.

> Given that the CA seems to be generating a new CRL that you can fetch
> directly I'll assume those are set.

> The CA also needs configuration on how/where to publish a file-based
> CRL. The configuration should look like:
>
> ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin
> ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish
> ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true
> ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher
> ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime
> ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false
> ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9
> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false
> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true
> ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher

These values are correct.

How often does the crl list get generated? i still do not see recent data.

Thanks!

--
Groeten,
natxo




More information about the Freeipa-users mailing list