Martin Kosek wrote:
On 10/09/2012 04:43 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 10/04/2012 06:17 PM, Rob Crittenden wrote:
This changes the way IPA generates CRLs for new installs only.

The first master installed is configured as the CRL generator. An entry is
added to cn=masters that designates it.

When a replica is installed it queries this entry so it knows where to forward
CRL requests. CRL files are not available on cloned CAs (so /ipa/crl will
return not found). It is possible to get a CRL directly from the clone CA via


I tested new IPA server + replica with your patch and the CRL was now generated
only on the CRL master. I also tried OCSP (though this may not be relevant) and
it worked for me too.

1) I do not understand the following block in set_crl_master(self, suffix):

+        try:
+            self.admin_conn.addEntry(entry)
+        except ldap.ALREADY_EXISTS, e:
+            root_logger.debug("failed to set CA as CRL generator")
+            raise e

- when we hit ldap.ALREADY_EXISTS, we are actually OK because cn=CRL is set,
- AFAIK, addEntry should  return our errors, i.e. errors.DuplicateEntry
- s/raise e/raise/

I think you may have wanted to rather catch for more general LDAP error and
then report a real error and not just a debug note.

2) In get_crl_master:

+        except Exception, e:
+            root_logger.debug("Could not connect to the Directory Server on
%s: %s" % (master_host, str(e)))
+            raise e

s/raise e/raise/

+        except errors.NotFound, e:
+            root_logger.debug("failed to find CA CRL generator")
+            self.crl_master = None

- e is actually not used, "except errors.NotFound" would be enough

3) Majorish issue I hit with the actual CRL publishing on our server (F17). I
always get 403 Forbidden error when trying to download CRL from the CRL master:

# wget --ca-certificate /etc/ipa/ca.crt https://`hostname`/ipa/crl/MasterCRL.bin
--2012-10-05 03:32:58--
Connecting to||:443... connected.
HTTP request sent, awaiting response... 403 Forbidden
2012-10-05 03:32:58 ERROR 403: Forbidden.

I tracked the problem down to too strict permission on /var/lib/pki-ca
directory which is being published by httpd which does not have access to it:

# ll /var/lib/pki-ca

drwxrwx---. 11 pkiuser pkiuser 4096 Oct  5 03:00 pki-ca

When I fixed the permission:
# chmod o+x /var/lib/pki-ca/

I was able to get pass the Forbidden error and actually retrieved the CRL.
Adding Ade on CC list to follow on this permission issue.

I was thinking about usability of this new approach, we may want to make user
life easier in a perspective of CRL master managing. I have following
enhancements in mind:

- mark CRL master in ipa-replica-manage list, or ipa-csreplica-manage list:

# ipa-csreplica-manage list
Directory Manager password: master [CRL] master

- when removing master with CRL by "ipa-replica-manage del" we should warn user
and inform him what he should do next to amend the situation. I am thinking
about 2 new commands for ipa-csreplica-manage:

* ipa-csreplica-manage crl-promote
    - promote current master as the new CRL master, enable CRL generation in
CS.cfg, mark master as the new CRL master in cn=masters
* ipa-csreplica-manage crl-update
    - update CS.cfg of current CA replica and point* to current
CRL master

I can work on those enhancements if we agree on them.


Andrew provided some feedback out-of-band and my solution was overly complex.
Here is a much simpler patch which does away with all the hand-waving around
knowing who the CRL generator is.


This looks OK code-wise, I will wait for dogtag guys to confirm that this is
the right approach.

Btw. I think we may want to file a RFE to implement some command to promote a
replica to CRL master (like "ipa-csreplica-manage crl-promote" proposed
earlier). Users may want to promote a replica when the master crashes or is to
be replaced. Some way to migrate CRL list (if not replicated already) to the
promoted replica would also be needed.


Andrew suggested I specify that we do not monitor cloned revocations on the server not generating CRLs, so I added that.

The last question is what we do about redirecting users on the non-generating masters.

We can do it easily with a line like this in Apache:

RewriteRule ^/ipa/crl/MasterCRL.bin https://$FQDN:9444/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL [L,R=301,NC]

The tricky part is writing this properly. The CA can be added post-install so I don't think simply adding this to ipa-rewrite.conf will work well. Is adding another template configuration file for Apache overkill?

>From 48127079fa0032027034acb4426518464a5c4f6a Mon Sep 17 00:00:00 2001
From: Rob Crittenden <>
Date: Tue, 9 Oct 2012 10:40:20 -0400
Subject: [PATCH] Configure the initial CA as the CRL generator.

Any installed clones will have CRL generation explicitly disabled.
It is a manual process to make a different CA the CRL generator.
There should be only one.
 ipaserver/install/ | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/ipaserver/install/ b/ipaserver/install/
index a64fe6f03d25380ae0629df51087ddb599b1a034..0ac895e34f22b9e56d85855cd7051385fe8b3d20 100644
--- a/ipaserver/install/
+++ b/ipaserver/install/
@@ -1239,6 +1239,19 @@ class CAInstance(service.Service):
             'https://%s/ipa/crl/MasterCRL.bin' % ipautil.format_netloc(self.fqdn),
             quotes=False, separator='=')
+        # If we are the initial master then we are the CRL generator, otherwise
+        # we point to that master for CRLs.
+        if not self.clone:
+            # These next two are defaults, but I want to be explicit that the
+            # initial master is the CRL generator.
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'true', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'true', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'true', quotes=False, separator='=')
+        else:
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLCache', 'false', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.crl.MasterCRL.enableCRLUpdates', 'false', quotes=False, separator='=')
+            installutils.set_directive(caconfig, 'ca.listenToCloneModifications', 'false', quotes=False, separator='=')
     def __set_subject_in_config(self):
         # dogtag ships with an IPA-specific profile that forces a subject
         # format. We need to update that template with our base subject

Freeipa-devel mailing list

Reply via email to