On 11/05/2014 09:20 PM, Natxo Asenjo wrote:
On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo <natxo.ase...@gmail.com> wrote:
And I think I found it:
https://fedorahosted.org/freeipa/ticket/3727


permissions of that folder:

$ ls -ld publish/
drwxr-xr-x. 2 root root 73728 Jun 13  2013 publish/

I just changed them to pkiuser:pkiuser, let's see what the next run does.

and it's fixed (after undoing the change in CS.cfg and re-setting

ca.crl.MasterCRL.enableCRLCache=false
ca.crl.MasterCRL.enableCRLUpdates=false

both to true and reloading pki-cad):

-rw-rw-r--. 1 pkiuser pkiuser 1807 Jun 28  2013 MasterCRL-20130628-210000.der
-rw-rw-r--. 1 pkiuser pkiuser 5278 Nov  5 21:00 MasterCRL-20141105-210000.der
lrwxrwxrwx. 1 pkiuser pkiuser   57 Nov  5 21:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20141105-210000.der

phew

Good! I am glad you fixed the problem. I added this case to
http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old

I am wondering what caused the issue. In the beginning you wrote that you use centos 6.5. However, the bug you correctly referred to was fixed in 6.5:

https://bugzilla.redhat.com/show_bug.cgi?id=975431

So I am wondering if some scenario was missed and for example the IPA updater did not fix the folder ownership.

Thanks,
Martin

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project

Reply via email to