On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo <[email protected]> wrote: > On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden <[email protected]> wrote: >> Natxo Asenjo wrote: >>> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <[email protected]> >>> wrote: >>>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the >>>> files I see are very old (the MasterCRL.bin file is dated 28 june >>>> 2013), and on the kdc02 it is newer (July 2 2013). >>> >>> on 28 June 2013 I patched the kdc01: >>> >>> Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 >>> >>> and the kdc02 a few days later: >>> >>> Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 >>> >>> So that explains the dates, but why dit it stop the publication of crls? >>> >> >> I'd suggest looking in /var/log/ipaupgrade.log for those dates to see >> what happened. >> >> I'm guessing that both were deemed to not be the CRL generator so >> generation was stopped on both. >> >> See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable >> one of the masters to do the CRL generation. > > I was just looking at that article and wondering if that would not be > the culprit. > > I will post and update later. >
ok, so I added on the CRL generator (kdc01) this to CS.cfg : ca.listenToCloneModifications=true and rebooted and on the kdc02 (the second replica, not holding the CRL generator) I removed the comment on the rewrite rule, restarted apache2 and now when getting /ipa/crl/MasterCRL.bin clients get redirected to https://kdc01.domain.tld/ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL And this crl is up to date $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout -lastupdate lastUpdate=Oct 13 19:00:00 2014 GMT $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout -nextupdate nextUpdate=Oct 13 23:00:00 2014 GMT But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL as well? -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
