[Freeipa-users] mastercrl.bin very old

Natxo Asenjo natxo.asenjo at gmail.com
Wed Nov 5 18:37:35 UTC 2014 

hi,

On Wed, Nov 5, 2014 at 9:39 AM, Martin Kosek <mkosek at redhat.com> wrote:
> On 11/04/2014 01:39 PM, Natxo Asenjo wrote:
>> hi,
>>
>> On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Natxo Asenjo wrote:
>>
>>>> How often does the crl list get generated? i still do not see recent data.
>>>
>>> This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by
>>> default is 240, so every 4 hours.
>>
>> mmm, still no new items in the https://kdc01.sub.domain.tld/ipa/crl/
>> site. Everything is stuck on june 28 2013.
>
> I would check PKI system logs and also look for any AVCs. There were SELinux
> policy related bugs in the past which prevented creation of the CRLs in
> /var/lib/ipa/pki-ca/publish/.

Bingo! After disabling selinux this morning and waiting a few hours
the crl was still not updated. So time to look at the logs.

In /var/lib/pki-ca/logs/system I found lots of these messages:

sterCRL-20141101-210000.temp (Permission denied)
6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:01:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141102-010000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:05:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141102-050000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:09:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141102-090000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:13:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141102-130000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:17:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141102-170000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:21:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141102-210000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:01:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141103-010000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:05:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141103-050000.temp (Permission
denied)
6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3]
FileBasedPublisher: java.io.FileNotFoundException:
/var/lib/ipa/pki-ca/publish/MasterCRL-20141103-090000.temp (Permission
denied)

Now I still need to find the solution :-)

It does not appear to be a selinux problem:

# restorecon -rv /var/lib/ipa/pki-ca/publish/

returns inmediately to the prompt, so no fixed contexts.

Thanks,
--
Groeten,
natxo

More information about the Freeipa-users mailing list