hi, I have been really busy, apologies for the delay in answering.
On Wed, Oct 22, 2014 at 5:39 PM, Rob Crittenden <[email protected]> wrote: > Natxo Asenjo wrote: >> On Mon, Oct 13, 2014 at 9:39 PM, Natxo Asenjo <[email protected]> wrote: >>> But if I get it from the crl generator using /ipa/crl/MasterCRL.bin I >>> still get the old crl dated june 28th last year. >>> >>> Should I modify ipa-pki-proxy.conf as well on the CRL generator host >>> to point to the /ca/ee/ca/getCRL?op=getCRL&crlIssuingPoint=MasterCRL >>> as well? >> >> This morning the /ipa/crl dir still had the lists of 28th June 2013 in >> the crl generator host. In my test environment running centos 7 the >> files get updated, so I think a process is nut running. But which one? >> >> Going to the /ca/ee/ca/getCRL?op=getCRL& >> crlIssuingPoint=MasterCRL gives me the up to date CRL. >> >> -- >> Groeten, >> natxo >> > > To enable CRL generation you need these set: > > ca.crl.MasterCRL.enableCRLCache=false > ca.crl.MasterCRL.enableCRLUpdates=false ok, this is in the host holding the CRL, right? (in my case kdc01, the first one). I followed the guide in http://www.freeipa.org/page/CVE-2012-4546 where in point 2a of manual instructions you can read true. I have changed that now. to false and restarted the pki-cad daemon. > Given that the CA seems to be generating a new CRL that you can fetch > directly I'll assume those are set. > The CA also needs configuration on how/where to publish a file-based > CRL. The configuration should look like: > > ca.publish.publisher.instance.FileBaseCRLPublisher.crlLinkExt=bin > ca.publish.publisher.instance.FileBaseCRLPublisher.directory=/var/lib/ipa/pki-ca/publish > ca.publish.publisher.instance.FileBaseCRLPublisher.latestCrlLink=true > ca.publish.publisher.instance.FileBaseCRLPublisher.pluginName=FileBasedPublisher > ca.publish.publisher.instance.FileBaseCRLPublisher.timeStamp=LocalTime > ca.publish.publisher.instance.FileBaseCRLPublisher.zipCRLs=false > ca.publish.publisher.instance.FileBaseCRLPublisher.zipLevel=9 > ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.b64=false > ca.publish.publisher.instance.FileBaseCRLPublisher.Filename.der=true > ca.publish.rule.instance.FileCrlRule.publisher=FileBaseCRLPublisher These values are correct. How often does the crl list get generated? i still do not see recent data. Thanks! -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
