hi, On Wed, Nov 5, 2014 at 9:39 AM, Martin Kosek <[email protected]> wrote: > On 11/04/2014 01:39 PM, Natxo Asenjo wrote: >> hi, >> >> On Mon, Nov 3, 2014 at 5:21 PM, Rob Crittenden <[email protected]> wrote: >>> Natxo Asenjo wrote: >> >>>> How often does the crl list get generated? i still do not see recent data. >>> >>> This is controlled by ca.crl.MasterCRL.autoUpdateInterval which by >>> default is 240, so every 4 hours. >> >> mmm, still no new items in the https://kdc01.sub.domain.tld/ipa/crl/ >> site. Everything is stuck on june 28 2013. > > I would check PKI system logs and also look for any AVCs. There were SELinux > policy related bugs in the past which prevented creation of the CRLs in > /var/lib/ipa/pki-ca/publish/.
Bingo! After disabling selinux this morning and waiting a few hours the crl was still not updated. So time to look at the logs. In /var/lib/pki-ca/logs/system I found lots of these messages: sterCRL-20141101-210000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:01:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-010000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:05:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-050000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:09:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-090000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:13:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-130000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:17:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-170000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [02/Nov/2014:21:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141102-210000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:01:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-010000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:05:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-050000.temp (Permission denied) 6489.CRLIssuingPoint-MasterCRL - [03/Nov/2014:09:00:00 CET] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20141103-090000.temp (Permission denied) Now I still need to find the solution :-) It does not appear to be a selinux problem: # restorecon -rv /var/lib/ipa/pki-ca/publish/ returns inmediately to the prompt, so no fixed contexts. Thanks, -- Groeten, natxo -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
