Re: [Freeipa-users] mastercrl.bin very old
On 11/05/2014 09:20 PM, Natxo Asenjo wrote: On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: And I think I found it: https://fedorahosted.org/freeipa/ticket/3727 permissions of that folder: $ ls -ld publish/ drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/ I just changed them to pkiuser:pkiuser, let's see what the next run does. and it's fixed (after undoing the change in CS.cfg and re-setting ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false both to true and reloading pki-cad): -rw-rw-r--. 1 pkiuser pkiuser 1807 Jun 28 2013 MasterCRL-20130628-21.der -rw-rw-r--. 1 pkiuser pkiuser 5278 Nov 5 21:00 MasterCRL-20141105-21.der lrwxrwxrwx. 1 pkiuser pkiuser 57 Nov 5 21:00 MasterCRL.bin - /var/lib/ipa/pki-ca/publish/MasterCRL-20141105-21.der phew Good! I am glad you fixed the problem. I added this case to http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old I am wondering what caused the issue. In the beginning you wrote that you use centos 6.5. However, the bug you correctly referred to was fixed in 6.5: https://bugzilla.redhat.com/show_bug.cgi?id=975431 So I am wondering if some scenario was missed and for example the IPA updater did not fix the folder ownership. Thanks, Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
hi Martin, On Fri, Nov 7, 2014 at 10:46 AM, Martin Kosek mko...@redhat.com wrote: Good! I am glad you fixed the problem. I added this case to http://www.freeipa.org/page/Troubleshooting#CRL_gets_very_old nice. Hopefully it will help someone. I am wondering what caused the issue. In the beginning you wrote that you use centos 6.5. However, the bug you correctly referred to was fixed in 6.5: https://bugzilla.redhat.com/show_bug.cgi?id=975431 So I am wondering if some scenario was missed and for example the IPA updater did not fix the folder ownership. Maybe there is a difference between the RHEL and centos rpm's ... I guess it's time to start monitoring the crl as well for (plenty of choice in the nagios exchange, apparently). Thanks for the tip! -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
hi, On Wed, Nov 5, 2014 at 9:39 AM, Martin Kosek mko...@redhat.com wrote: On 11/04/2014 01:39 PM, Natxo Asenjo wrote: hi, On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: How often does the crl list get generated? i still do not see recent data. This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by default is 240, so every 4 hours. mmm, still no new items in the https://kdc01.sub.domain.tld/ipa/crl/ site. Everything is stuck on june 28 2013. I would check PKI system logs and also look for any AVCs. There were SELinux policy related bugs in the past which prevented creation of the CRLs in /var/lib/ipa/pki-ca/publish/. Bingo! After disabling selinux this morning and waiting a few hours the crl was still not updated. So time to look at the logs. In /var/lib/pki-ca/logs/system I found lots of these messages: sterCRL-20141101-21.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:01:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-01.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:05:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-05.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:09:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-09.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:13:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-13.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:17:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-17.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:21:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-21.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:01:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-01.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:05:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-05.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-09.temp (Permission denied) Now I still need to find the solution :-) It does not appear to be a selinux problem: # restorecon -rv /var/lib/ipa/pki-ca/publish/ returns inmediately to the prompt, so no fixed contexts. Thanks, -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Wed, Nov 5, 2014 at 7:37 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-09.temp (Permission denied) And I think I found it: https://fedorahosted.org/freeipa/ticket/3727 permissions of that folder: $ ls -ld publish/ drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/ I just changed them to pkiuser:pkiuser, let's see what the next run does. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
hi, By the way, is it safe to rename this file: $ ls -lh /var/lib/pki-ca/logs/debug -rw-r-. 1 pkiuser pkiuser 841M Nov 5 19:54 /var/lib/pki-ca/logs/debug It's quite big :-). Can I just rename it while the dirsrv is running and will a new one be created or do I have to stop the pki-cad daemon and then rename it? -- Regards, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Wed, Nov 5, 2014 at 7:45 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: And I think I found it: https://fedorahosted.org/freeipa/ticket/3727 permissions of that folder: $ ls -ld publish/ drwxr-xr-x. 2 root root 73728 Jun 13 2013 publish/ I just changed them to pkiuser:pkiuser, let's see what the next run does. and it's fixed (after undoing the change in CS.cfg and re-setting ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false both to true and reloading pki-cad): -rw-rw-r--. 1 pkiuser pkiuser 1807 Jun 28 2013 MasterCRL-20130628-21.der -rw-rw-r--. 1 pkiuser pkiuser 5278 Nov 5 21:00 MasterCRL-20141105-21.der lrwxrwxrwx. 1 pkiuser pkiuser 57 Nov 5 21:00 MasterCRL.bin - /var/lib/ipa/pki-ca/publish/MasterCRL-20141105-21.der phew -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
hi, I have been really busy, apologies for the delay in answering. On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? This morning the /ipa/crl dir still had the lists of 28th June 2013 in the crl generator host. In my test environment running centos 7 the files get updated, so I think a process is nut running. But which one? Going to the /ca/ee/ca/getCRL?op=getCRL crlIssuingPoint=MasterCRL gives me the up to date CRL. -- Groeten, natxo To enable CRL generation you need these set: ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false ok, this is in the host holding the CRL, right? (in my case kdc01, the first one). I followed the guide in http://www.freeipa.org/page/CVE-2012-4546 where in point 2a of manual instructions you can read true. I have changed that now. to false and restarted the pki-cad daemon. Given that the CA seems to be generating a new CRL that you can fetch directly I'll assume those are set. The CA also needs configuration on how/where to publish a file-based CRL. The configuration should look like: ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher These values are correct. How often does the crl list get generated? i still do not see recent data. Thanks! -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
Natxo Asenjo wrote: hi, I have been really busy, apologies for the delay in answering. On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? This morning the /ipa/crl dir still had the lists of 28th June 2013 in the crl generator host. In my test environment running centos 7 the files get updated, so I think a process is nut running. But which one? Going to the /ca/ee/ca/getCRL?op=getCRL crlIssuingPoint=MasterCRL gives me the up to date CRL. -- Groeten, natxo To enable CRL generation you need these set: ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false ok, this is in the host holding the CRL, right? (in my case kdc01, the first one). I followed the guide in http://www.freeipa.org/page/CVE-2012-4546 where in point 2a of manual instructions you can read true. I have changed that now. to false and restarted the pki-cad daemon. ok Given that the CA seems to be generating a new CRL that you can fetch directly I'll assume those are set. The CA also needs configuration on how/where to publish a file-based CRL. The configuration should look like: ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher These values are correct. How often does the crl list get generated? i still do not see recent data. This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by default is 240, so every 4 hours. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? This morning the /ipa/crl dir still had the lists of 28th June 2013 in the crl generator host. In my test environment running centos 7 the files get updated, so I think a process is nut running. But which one? Going to the /ca/ee/ca/getCRL?op=getCRL crlIssuingPoint=MasterCRL gives me the up to date CRL. -- Groeten, natxo To enable CRL generation you need these set: ca.crl.MasterCRL.enableCRLCache=false ca.crl.MasterCRL.enableCRLUpdates=false Given that the CA seems to be generating a new CRL that you can fetch directly I'll assume those are set. The CA also needs configuration on how/where to publish a file-based CRL. The configuration should look like: ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? This morning the /ipa/crl dir still had the lists of 28th June 2013 in the crl generator host. In my test environment running centos 7 the files get updated, so I think a process is nut running. But which one? Going to the /ca/ee/ca/getCRL?op=getCRL crlIssuingPoint=MasterCRL gives me the up to date CRL. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
[Freeipa-users] mastercrl.bin very old
hi, yet another certificate authority question. We have a centos 6.5 ipa environment with two domain controllers (kdc01, kdc02). The first one is the first replica and maintains the crl (or so it should). Recently our monitoring warned us that the web host certificate for kdc01 was about to expire. And it auto-renewed this weeked, with was great. But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). Am I looking at the wrong urls? How can I check that the crl is ok? Thanks in advance for your tips. -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? -- -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. I was just looking at that article and wondering if that would not be the culprit. I will post and update later. Thanks! -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
Re: [Freeipa-users] mastercrl.bin very old
On Mon, Oct 13, 2014 at 8:17 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden rcrit...@redhat.com wrote: Natxo Asenjo wrote: On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo natxo.ase...@gmail.com wrote: But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the files I see are very old (the MasterCRL.bin file is dated 28 june 2013), and on the kdc02 it is newer (July 2 2013). on 28 June 2013 I patched the kdc01: Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 and the kdc02 a few days later: Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 So that explains the dates, but why dit it stop the publication of crls? I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. I was just looking at that article and wondering if that would not be the culprit. I will post and update later. ok, so I added on the CRL generator (kdc01) this to CS.cfg : ca.listenToCloneModifications=true and rebooted and on the kdc02 (the second replica, not holding the CRL generator) I removed the comment on the rewrite rule, restarted apache2 and now when getting /ipa/crl/MasterCRL.bin clients get redirected to https://kdc01.domain.tld/ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL And this crl is up to date $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout -lastupdate lastUpdate=Oct 13 19:00:00 2014 GMT $ openssl crl -inform DER -in Downloads/MasterCRL.crl -noout -nextupdate nextUpdate=Oct 13 23:00:00 2014 GMT But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I still get the old crl dated june 28th last year. Should I modify ipa-pki-proxy.conf as well on the CRL generator host to point to the /ca/ee/ca/getCRL?op=getCRLcrlIssuingPoint=MasterCRL as well? -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project