Natxo Asenjo wrote: > On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <[email protected]> wrote: >> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the >> files I see are very old (the MasterCRL.bin file is dated 28 june >> 2013), and on the kdc02 it is newer (July 2 2013). > > on 28 June 2013 I patched the kdc01: > > Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 > > and the kdc02 a few days later: > > Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 > > So that explains the dates, but why dit it stop the publication of crls? >
I'd suggest looking in /var/log/ipaupgrade.log for those dates to see what happened. I'm guessing that both were deemed to not be the CRL generator so generation was stopped on both. See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable one of the masters to do the CRL generation. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
