On 23/03/2024 13:48, Sam Morris via FreeIPA-users wrote:
It looks like my CRL renewal master (RHEL 8) is not producing the CRL correctly.
This was because it had "ca.certStatusUpdateInterval=0" set in /etc/pki/pki-tomcat/ca/CS.cfg - ouch.
I think I got into this state when I decommissioned a previous IPA server that was the CRL generator. This is described at two different places in the documentation, and one of them doesn't mention that ca.certStatusUpdateInterval should be changed to be unset when enabling CRL generation on a server. See https://issues.redhat.com/browse/RHEL-30280?focusedId=24411869&page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#comment-24411869 for the details.
-- Sam Morris <https://robots.org.uk/> CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue