[Freeipa-users] mastercrl.bin very old
Martin Kosek
mkosek at redhat.com
Fri Nov 7 09:46:00 UTC 2014
On 11/05/2014 09:20 PM, Natxo Asenjo wrote:
> On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> And I think I found it:
>> https://fedorahosted.org/freeipa/ticket/3727
>>
>>
>> permissions of that folder:
>>
>> $ ls -ld publish/
>> drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/
>>
>> I just changed them to pkiuser:pkiuser, let's see what the next run does.
>
> and it's fixed (after undoing the change in CS.cfg and re-setting
>
> ca.crl.MasterCRL.enableCRLCache=false
> ca.crl.MasterCRL.enableCRLUpdates=false
>
> both to true and reloading pki-cad):
>
> -rw-rw-r--. 1 pkiuser pkiuser 1807 Jun 28 2013 MasterCRL-20130628-210000.der
> -rw-rw-r--. 1 pkiuser pkiuser 5278 Nov 5 21:00 MasterCRL-20141105-210000.der
> lrwxrwxrwx. 1 pkiuser pkiuser 57 Nov 5 21:00 MasterCRL.bin ->
> /var/lib/ipa/pki-ca/publish/MasterCRL-20141105-210000.der
>
> phew
Good! I am glad you fixed the problem. I added this case to
http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old
I am wondering what caused the issue. In the beginning you wrote that you use
centos 6.5. However, the bug you correctly referred to was fixed in 6.5:
https://bugzilla.redhat.com/show_bug.cgi?id=975431
So I am wondering if some scenario was missed and for example the IPA updater
did not fix the folder ownership.
Thanks,
Martin
More information about the Freeipa-users
mailing list