Natxo Asenjo wrote:
> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the
>> files I see are very old (the MasterCRL.bin file is dated 28 june
>> 2013), and on the kdc02 it is newer (July 2 2013).
> 
> on 28 June 2013 I patched the kdc01:
> 
> Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686
> 
> and the kdc02  a few days later:
> 
> Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686
> 
> So that explains the dates, but why dit it stop the publication of crls?
> 

I'd suggest looking in /var/log/ipaupgrade.log for those dates to see
what happened.

I'm guessing that both were deemed to not be the CRL generator so
generation was stopped on both.

See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable
one of the masters to do the CRL generation.

rob

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to