On Mon, Oct 13, 2014 at 7:53 PM, Rob Crittenden <[email protected]> wrote: > Natxo Asenjo wrote: >> On Mon, Oct 13, 2014 at 4:27 PM, Natxo Asenjo <[email protected]> wrote: >>> But if I go to the crl url (http://kdc01.domain.tld/ipa.crl ) all the >>> files I see are very old (the MasterCRL.bin file is dated 28 june >>> 2013), and on the kdc02 it is newer (July 2 2013). >> >> on 28 June 2013 I patched the kdc01: >> >> Jun 28 23:17:30 Updated: ipa-server-3.0.0-26.el6_4.4.i686 >> >> and the kdc02 a few days later: >> >> Jul 02 15:21:51 Updated: ipa-server-3.0.0-26.el6_4.4.i686 >> >> So that explains the dates, but why dit it stop the publication of crls? >> > > I'd suggest looking in /var/log/ipaupgrade.log for those dates to see > what happened. > > I'm guessing that both were deemed to not be the CRL generator so > generation was stopped on both. > > See http://www.freeipa.org/page/CVE-2012-4546 step 2 for how to enable > one of the masters to do the CRL generation.
I was just looking at that article and wondering if that would not be the culprit. I will post and update later. Thanks! -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
