[Freeipa-users] mastercrl.bin very old
Natxo Asenjo
natxo.asenjo at gmail.com
Mon Oct 13 18:17:07 UTC 2014
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden <rcritten at redhat.com> wrote:
> Natxo Asenjo wrote:
>> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
>>> files I see are very old (the MasterCRL.bin file is dated 28 june
>>> 2013), and on the kdc02 it is newer (July 2 2013).
>>
>> on 28 June 2013 I patched the kdc01:
>>
>> Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686
>>
>> and the kdc02 a few days later:
>>
>> Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686
>>
>> So that explains the dates, but why dit it stop the publication of crls?
>>
>
> I'd suggest looking in /var/log/ipaupgrade.log for those dates to see
> what happened.
>
> I'm guessing that both were deemed to not be the CRL generator so
> generation was stopped on both.
>
> See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable
> one of the masters to do the CRL generation.
I was just looking at that article and wondering if that would not be
the culprit.
I will post and update later.
Thanks!
--
Groeten,
natxo
More information about the Freeipa-users
mailing list