It looks like my CRL renewal master (RHEL 8) is not producing the CRL
correctly.
I've got two certificates that were requested by certmonger running on
an ipa client. I'm pretty sure I revoked them as an admin logged into a
second ipa client.
Status of all replication agreements on all ipa servers is green.
The CRL renewal master knows the certificates were issued & revoked:
$ ipa cert-find --validnotbefore-from=2024-03-14 --status=REVOKED
----------------------
2 certificates matched
----------------------
Issuing CA: ipa
Subject: CN=myhost.example.com,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Not Before: Thu Mar 14 20:29:31 2024 UTC
Not After: Wed Jul 17 20:29:31 2024 UTC
Serial number: 1342111806
Serial number (hex): 0x4FFF003E
Status: REVOKED
Revoked: True
Issuing CA: ipa
Subject: CN=myhost.example.com,O=EXAMPLE.COM
Issuer: CN=Certificate Authority,O=EXAMPLE.COM
Not Before: Thu Mar 14 20:35:03 2024 UTC
Not After: Wed Jul 17 20:35:03 2024 UTC
Serial number: 1342111807
Serial number (hex): 0x4FFF003F
Status: REVOKED
Revoked: True
----------------------------
Number of entries returned 2
----------------------------
* Both certificates are revoked
* Both certificates have 'not after' dates in the future.
But looking at the current CRL:
$ openssl crl -in /var/lib/ipa/pki-ca/publish/MasterCRL.bin -inform der
-noout -text
Certificate Revocation List (CRL):
Version 2 (0x1)
Signature Algorithm: sha256WithRSAEncryption
Issuer: O = EXAMPLE.COM, CN = Certificate Authority
Last Update: Mar 23 13:18:45 2024 GMT
Next Update: Mar 23 17:00:00 2024 GMT
CRL extensions:
X509v3 Authority Key Identifier:
keyid:1B:89:B8:D6:6F:4D:41:C1:BD:47:A3:9B:21:36:8C:71:10:59:8C:A6
X509v3 CRL Number:
10526
Revoked Certificates:
Serial Number: 2FFE002B
Revocation Date: May 19 17:01:12 2022 GMT
CRL entry extensions:
X509v3 CRL Reason Code:
Key Compromise
Signature Algorithm: sha256WithRSAEncryption
0f:2f:59:9b:9c:1c:ac:fd:6a:e5:d7:87:94:97:e3:a8:cf:07:
fe:86:8b:4e:a6:37:dc:76:c1:ef:f3:69:9e:e3:5c:8a:dd:12:
cb:fa:4a:97:21:ae:fa:ee:91:bb:37:9e:cb:bb:49:10:58:95:
bd:24:98:df:a1:45:90:b3:f1:51:af:2b:c9:cb:c3:89:23:a8:
f5:8d:3f:d4:4e:4b:a6:ef:d6:96:94:36:da:a1:0c:ab:32:27:
85:24:0d:9c:52:17:17:4d:ae:3a:83:59:39:a9:08:33:7d:f4:
05:74:e3:7d:1e:df:8e:f8:4c:c0:fd:7f:8b:a2:b4:0a:a2:fc:
57:9b:00:c2:29:9e:74:0f:c2:4a:0e:5c:e6:f0:1e:ff:71:a9:
f9:cb:a1:6f:b4:48:16:59:42:78:2a:38:1d:14:b7:d3:58:cb:
21:ad:61:bb:c9:20:e6:c2:39:97:bf:a6:f8:fe:26:32:51:eb:
67:b4:0c:b9:ea:96:ea:b0:66:cf:7c:73:74:69:fc:08:d9:a7:
13:23:34:3e:a6:f1:b3:0d:0f:54:46:22:71:6c:16:81:a8:97:
79:c5:a0:20:03:5d:51:d7:fb:25:33:3b:7a:55:59:dd:a6:cb:
3e:00:1d:2a:c7:a3:7a:8b:3b:1f:d9:36:23:c5:c3:f4:ff:14:
86:0b:61:fc
* The CRL was just generated a few minutes ago
* The two revoked certificates are not present
* The certificate that is present in the list expired in July 2022,
according to 'ipa cert-show 0x2FFE002B'
To force CRL generation I'm running:
$ curl https://$HOSTNAME:8443/ca/agent/ca/updateCRL --cert
/var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key
Nothing suspicious shows up in Dogtag's logs:
==> /var/log/pki/pki-tomcat/ca/debug.2024-03-23.log <==
2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: Getting SSL client
certificate.
2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO:
CertUserDBAuthentication: UID ipara authenticated.
2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: UGSubsystem:
retrieving user uid=ipara,ou=People,o=ipaca
2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: AAclAuthz: Granting
update permission for certServer.ca.crl
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CRLIssuingPoint:
Updating MasterCRL
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CASigningUnit:
Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CASigningUnit:
Signing Certificate
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CRLReposiotry:
Updating CRL issuing point record
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession:
Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
Getting crl publishing rules
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapXCertRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapCaCertRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: FileCrlRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: true
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
type: crl
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
predicate: null
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapUserCertRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapCrlRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
Publishing CRL 10529 to MasterCRL
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
Getting crl publishing rules
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapXCertRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapCaCertRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: FileCrlRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: true
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
type: crl
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
predicate: null
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapUserCertRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: -
name: LdapCrlRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor:
enabled: false
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
Publishing rules:
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
- rule: FileCrlRule
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
mapper: NoMap
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
Publishing to CN=Certificate Authority,O=EXAMPLE.COM
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
- publisher: FileBaseCRLPublisher
2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor:
Published CRL
==> /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit <==
0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=--][ServerIP=--][SubjectID=CN=IPA
RA,O=EXAMPLE.COM][Outcome=Success] access session establish success
0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=AUTH][SubjectID=ipara][Outcome=Success][AuthMgr=certUserDBAuthMgr]
authentication success
0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=AUTHZ][SubjectID=ipara][Outcome=Success][aclResource=certServer.ca.crl][Op=update]
authorization success
0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=ROLE_ASSUME][SubjectID=ipara][Outcome=Success][Role=Certificate
Manager Agents, Registration Manager Agents, Security Domain Administrators,
Enterprise ACME Administrators] assume privileged role
0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=SCHEDULE_CRL_GENERATION][SubjectID=ipara][Outcome=Success] schedule
for CRL generation
0.https-jsse-nio-8443-exec-7 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=--][ServerIP=--][SubjectID=--][Outcome=Success][Info=serverAlertReceived:
CLOSE_NOTIFY] access session terminated
0.https-jsse-nio-8443-exec-7 - [23/Mar/2024:13:42:12 UTC] [14] [6]
[AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=--][ServerIP=--][SubjectID=--][Outcome=Success][Info=serverAlertSent:
CLOSE_NOTIFY] access session terminated
This may be related to <https://pagure.io/freeipa/issue/9505>. I've not
had the chance to test revocation on an ipa server yet.
Any other debugging I can do just let me know.
--
Sam Morris <https://robots.org.uk/>
CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
