[Freeipa-users] mastercrl.bin very old

Rob Crittenden rcritten at redhat.com
Mon Nov 3 16:21:29 UTC 2014 

Natxo Asenjo wrote:
> hi,
> 
> I have been really busy, apologies for the delay in answering.
> 
> On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Natxo Asenjo wrote:
>>> On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>>>> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
>>>> still get the old crl dated june 28th last year.
>>>>
>>>> Should I modify ipa-pki-proxy.conf as well on the CRL generator host
>>>> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>>>> as well?
>>>
>>> This morning the /ipa/crl dir still had the lists of 28th June 2013 in
>>> the crl generator host. In my test environment running centos 7 the
>>> files get updated, so I think a process is nut running. But which one?
>>>
>>> Going to the /ca/ee/ca/getCRL?op=getCRL&
>>> crlIssuingPoint=MasterCRL gives me the up to date CRL.
>>>
>>> --
>>> Groeten,
>>> natxo
>>>
>>
>> To enable CRL generation you need these set:
>>
>> ca.crl.MasterCRL.enableCRLCache=false
>> ca.crl.MasterCRL.enableCRLUpdates=false
> 
> ok, this is in the host holding the CRL, right? (in my case kdc01, the
> first one). I followed the guide in
> http://www.freeipa.org/page/CVE-2012-4546 where in point 2a of manual
> instructions you can read true. I have changed that now. to false and
> restarted the pki-cad daemon.

ok

> 
>> Given that the CA seems to be generating a new CRL that you can fetch
>> directly I'll assume those are set.
> 
>> The CA also needs configuration on how/where to publish a file-based
>> CRL. The configuration should look like:
>>
>> ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin
>> ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish
>> ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true
>> ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher
>> ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime
>> ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false
>> ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9
>> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false
>> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true
>> ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher
> 
> These values are correct.
> 
> How often does the crl list get generated? i still do not see recent data.

This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by
default is 240, so every 4 hours.

rob

More information about the Freeipa-users mailing list