1:08 p.m.
The CRL being served by the CRL Master has not added a newly revoked certificate for 4
months. The CRL is updated and published as expected every four hours, just with no change
to the list of revocations. Currently the CRL lists 34 certificates where as a query with
ipa cert-find returns 40.
The missing certificates are not expired.
I do not see any errors in /var/log/pki/pki-tomcat/ca/debug*
I've been through the steps at https://www.freeipa.org/page/Troubleshooting/PKI and
checked the CRL settings per
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.
2:12 p.m.
TC Johnson via FreeIPA-users wrote:
The CRL being served by the CRL Master has not added a newly revoked
certificate for 4 months. The CRL is updated and published as expected every four hours,
just with no change to the list of revocations. Currently the CRL lists 34 certificates
where as a query with ipa cert-find returns 40.
The missing certificates are not expired.
I do not see any errors in /var/log/pki/pki-tomcat/ca/debug*
I've been through the steps at https://www.freeipa.org/page/Troubleshooting/PKI and
checked the CRL settings per
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.
Adding a couple of the CA developers who may be able to help with this.
rob
2:44 p.m.
Back around Nov/Dec when RHEL 8.3 release, I was hit with the update issue regarding
fapolicy. Fortunatly only my IPA1 was impacted, though at the time it was my CA and CRL
master. As part of recovery I migrated CA and CRL to IPA2, which is where it still
resides. I built a new IPA1 and configured it as a replica.
This also seems to coincide with when the CRL ceases to be updated with newly revoked
certs.
So I wonder if I messed something up in that process
11:22 a.m.
On 13/01/2021 21.44, TC Johnson via FreeIPA-users wrote:
Back around Nov/Dec when RHEL 8.3 release, I was hit with the update
issue regarding fapolicy. Fortunatly only my IPA1 was impacted, though at the time it was
my CA and CRL master. As part of recovery I migrated CA and CRL to IPA2, which is where it
still resides. I built a new IPA1 and configured it as a replica.
This also seems to coincide with when the CRL ceases to be updated with newly revoked
certs.
So I wonder if I messed something up in that process
Did you migrate CA renewal and
CRL master services to the new server?
https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#P...
Christian
--
Christian Heimes
Principal Software Engineer, Identity Management and Platform Security
Red Hat GmbH, https://de.redhat.com/ , Registered seat: Grasbrunn,
Commercial register: Amtsgericht Muenchen, HRB 153243,
Managing Directors: Charles Cachera, Brian Klemm, Laurie Krebs, Michael
O'Neill
1:49 p.m.
Yes and as part of my troubleshooting I've validated that ipa has:
ca.crl.MasterCRL.enableCRLUpdates=true
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated - but no certificates
that have been revoked since around Dec of last year (when ipa2 became CRL master) have
been added to the CRL.
10:46 a.m.
I migrated the CA/CRL master role back to IPA1. Now certs that I revoke are added to the
CRL as expected, but the few certs I revoked while the role was on IPA2 are still missing.
This is a workable condition since those certs were just for testing.
12:11 p.m.
TC Johnson via FreeIPA-users wrote:
I migrated the CA/CRL master role back to IPA1. Now certs that I
revoke are added to the CRL as expected, but the few certs I revoked while the role was on
IPA2 are still missing. This is a workable condition since those certs were just for
testing.
That fact that one CA is missing some certificates suggests that
replication between the two CA servers may be having issues.
I don't see how this would affect CRL generation though if those certs
were on the CA generating it.
rob
1186
days inactive
1199
days old
freeipa-users@lists.fedorahosted.org
6 comments
3 participants
participants (3)
-
Christian Heimes -
Rob Crittenden -
TC Johnson