[Freeipa-users] mastercrl.bin very old

Martin Kosek mkosek at redhat.com
Wed Nov 5 08:39:19 UTC 2014


On 11/04/2014 01:39 PM, Natxo Asenjo wrote:
> hi,
> 
> On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Natxo Asenjo wrote:
> 
>>> How often does the crl list get generated? i still do not see recent data.
>>
>> This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by
>> default is 240, so every 4 hours.
> 
> mmm, still no new items in the https://kdc01.sub.domain.tld/ipa/crl/
> site. Everything is stuck on june 28 2013.

I would check PKI system logs and also look for any AVCs. There were SELinux
policy related bugs in the past which prevented creation of the CRLs in
/var/lib/ipa/pki-ca/publish/.

Martin




More information about the Freeipa-users mailing list