[Freeipa-users] mastercrl.bin very old
Rob Crittenden
rcritten at redhat.com
Mon Oct 13 17:53:32 UTC 2014
Natxo Asenjo wrote:
> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
>> files I see are very old (the MasterCRL.bin file is dated 28 june
>> 2013), and on the kdc02 it is newer (July 2 2013).
>
> on 28 June 2013 I patched the kdc01:
>
> Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686
>
> and the kdc02 a few days later:
>
> Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686
>
> So that explains the dates, but why dit it stop the publication of crls?
>
I'd suggest looking in /var/log/ipaupgrade.log for those dates to see
what happened.
I'm guessing that both were deemed to not be the CRL generator so
generation was stopped on both.
See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable
one of the masters to do the CRL generation.
rob
More information about the Freeipa-users
mailing list