Natxo Asenjo wrote: > hi, > > I have been really busy, apologies for the delay in answering. > > On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden <rcrit...@redhat.com> wrote: >> Natxo Asenjo wrote: >>> On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <natxo.ase...@gmail.com> >>> wrote: >>>> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I >>>> still get the old crl dated june 28th last year. >>>> >>>> Should I modify ipa-pki-proxy.conf as well on the CRL generator host >>>> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL >>>> as well? >>> >>> This morning the /ipa/crl dir still had the lists of 28th June 2013 in >>> the crl generator host. In my test environment running centos 7 the >>> files get updated, so I think a process is nut running. But which one? >>> >>> Going to the /ca/ee/ca/getCRL?op=getCRL& >>> crlIssuingPoint=MasterCRL gives me the up to date CRL. >>> >>> -- >>> Groeten, >>> natxo >>> >> >> To enable CRL generation you need these set: >> >> ca.crl.MasterCRL.enableCRLCache=false >> ca.crl.MasterCRL.enableCRLUpdates=false > > ok, this is in the host holding the CRL, right? (in my case kdc01, the > first one). I followed the guide in > http://www.freeipa.org/page/CVE-2012-4546 where in point 2a of manual > instructions you can read true. I have changed that now. to false and > restarted the pki-cad daemon.
ok > >> Given that the CA seems to be generating a new CRL that you can fetch >> directly I'll assume those are set. > >> The CA also needs configuration on how/where to publish a file-based >> CRL. The configuration should look like: >> >> ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin >> ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish >> ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true >> ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher >> ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime >> ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false >> ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 >> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false >> ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true >> ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher > > These values are correct. > > How often does the crl list get generated? i still do not see recent data. This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by default is 240, so every 4 hours. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project