[Freeipa-users] mastercrl.bin very old

Dmitri Pal dpal at redhat.com
Mon Oct 13 22:21:28 UTC 2014 

On 10/13/2014 03:39 PM, Natxo Asenjo wrote:
> On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>> On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>>> Natxo Asenjo wrote:
>>>> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <natxo.asenjo at gmail.com> wrote:
>>>>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
>>>>> files I see are very old (the MasterCRL.bin file is dated 28 june
>>>>> 2013), and on the kdc02 it is newer (July 2 2013).
>>>> on 28 June 2013 I patched the kdc01:
>>>>
>>>> Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686
>>>>
>>>> and the kdc02  a few days later:
>>>>
>>>> Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686
>>>>
>>>> So that explains the dates, but why dit it stop the publication of crls?
>>>>
>>> I'd suggest looking in /var/log/ipaupgrade.log for those dates to see
>>> what happened.
>>>
>>> I'm guessing that both were deemed to not be the CRL generator so
>>> generation was stopped on both.
>>>
>>> See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable
>>> one of the masters to do the CRL generation.
>> I was just looking at that article and wondering if that would not be
>> the culprit.
>>
>> I will post and update later.
>>
> ok, so I added on the CRL generator (kdc01) this to CS.cfg :
>
> ca.listenToCloneModifications=true
>
> and rebooted
>
> and on the kdc02 (the second replica, not holding the CRL generator) I
> removed the comment on the rewrite rule, restarted apache2 and now
> when getting /ipa/crl/MasterCRL.bin clients get redirected to
> https://kdc01.domain.tld/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
>
> And this crl is up to date
>
> $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout  -lastupdate
> lastUpdate=Oct 13 19:00:00 2014 GMT
>
> $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout  -nextupdate
> nextUpdate=Oct 13 23:00:00 2014 GMT
>
> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I
> still get the old crl dated june 28th last year.
>
> Should I modify ipa-pki-proxy.conf as well on the CRL generator host
> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL
> as well?
>
>
> --
> Groeten,
> natxo
>

Is there bug lurking somewhere? Please do not forget to file a ticket if 
we determine that this is in fact the case.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IdM portfolio
Red Hat, Inc.

More information about the Freeipa-users mailing list