It looks like my CRL renewal master (RHEL 8) is not producing the CRL correctly.
I've got two certificates that were requested by certmonger running on an ipa client. I'm pretty sure I revoked them as an admin logged into a second ipa client. Status of all replication agreements on all ipa servers is green. The CRL renewal master knows the certificates were issued & revoked: $ ipa cert-find --validnotbefore-from=2024-03-14 --status=REVOKED ---------------------- 2 certificates matched ---------------------- Issuing CA: ipa Subject: CN=myhost.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Thu Mar 14 20:29:31 2024 UTC Not After: Wed Jul 17 20:29:31 2024 UTC Serial number: 1342111806 Serial number (hex): 0x4FFF003E Status: REVOKED Revoked: True Issuing CA: ipa Subject: CN=myhost.example.com,O=EXAMPLE.COM Issuer: CN=Certificate Authority,O=EXAMPLE.COM Not Before: Thu Mar 14 20:35:03 2024 UTC Not After: Wed Jul 17 20:35:03 2024 UTC Serial number: 1342111807 Serial number (hex): 0x4FFF003F Status: REVOKED Revoked: True ---------------------------- Number of entries returned 2 ---------------------------- * Both certificates are revoked * Both certificates have 'not after' dates in the future. But looking at the current CRL: $ openssl crl -in /var/lib/ipa/pki-ca/publish/MasterCRL.bin -inform der -noout -text Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: O = EXAMPLE.COM, CN = Certificate Authority Last Update: Mar 23 13:18:45 2024 GMT Next Update: Mar 23 17:00:00 2024 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:1B:89:B8:D6:6F:4D:41:C1:BD:47:A3:9B:21:36:8C:71:10:59:8C:A6 X509v3 CRL Number: 10526 Revoked Certificates: Serial Number: 2FFE002B Revocation Date: May 19 17:01:12 2022 GMT CRL entry extensions: X509v3 CRL Reason Code: Key Compromise Signature Algorithm: sha256WithRSAEncryption 0f:2f:59:9b:9c:1c:ac:fd:6a:e5:d7:87:94:97:e3:a8:cf:07: fe:86:8b:4e:a6:37:dc:76:c1:ef:f3:69:9e:e3:5c:8a:dd:12: cb:fa:4a:97:21:ae:fa:ee:91:bb:37:9e:cb:bb:49:10:58:95: bd:24:98:df:a1:45:90:b3:f1:51:af:2b:c9:cb:c3:89:23:a8: f5:8d:3f:d4:4e:4b:a6:ef:d6:96:94:36:da:a1:0c:ab:32:27: 85:24:0d:9c:52:17:17:4d:ae:3a:83:59:39:a9:08:33:7d:f4: 05:74:e3:7d:1e:df:8e:f8:4c:c0:fd:7f:8b:a2:b4:0a:a2:fc: 57:9b:00:c2:29:9e:74:0f:c2:4a:0e:5c:e6:f0:1e:ff:71:a9: f9:cb:a1:6f:b4:48:16:59:42:78:2a:38:1d:14:b7:d3:58:cb: 21:ad:61:bb:c9:20:e6:c2:39:97:bf:a6:f8:fe:26:32:51:eb: 67:b4:0c:b9:ea:96:ea:b0:66:cf:7c:73:74:69:fc:08:d9:a7: 13:23:34:3e:a6:f1:b3:0d:0f:54:46:22:71:6c:16:81:a8:97: 79:c5:a0:20:03:5d:51:d7:fb:25:33:3b:7a:55:59:dd:a6:cb: 3e:00:1d:2a:c7:a3:7a:8b:3b:1f:d9:36:23:c5:c3:f4:ff:14: 86:0b:61:fc * The CRL was just generated a few minutes ago * The two revoked certificates are not present * The certificate that is present in the list expired in July 2022, according to 'ipa cert-show 0x2FFE002B' To force CRL generation I'm running: $ curl https://$HOSTNAME:8443/ca/agent/ca/updateCRL --cert /var/lib/ipa/ra-agent.pem --key /var/lib/ipa/ra-agent.key Nothing suspicious shows up in Dogtag's logs: ==> /var/log/pki/pki-tomcat/ca/debug.2024-03-23.log <== 2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: Getting SSL client certificate. 2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: CertUserDBAuthentication: UID ipara authenticated. 2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: UGSubsystem: retrieving user uid=ipara,ou=People,o=ipaca 2024-03-23 13:42:12 [https-jsse-nio-8443-exec-6] INFO: AAclAuthz: Granting update permission for certServer.ca.crl 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CRLIssuingPoint: Updating MasterCRL 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CASigningUnit: Getting algorithm context for SHA256withRSA RSASignatureWithSHA256Digest 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CASigningUnit: Signing Certificate 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CRLReposiotry: Updating CRL issuing point record 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: LDAPSession: Modifying LDAP entry cn=MasterCRL,ou=crlIssuingPoints,ou=ca,o=ipaca 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: Getting crl publishing rules 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapXCertRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCaCertRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: FileCrlRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: true 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: type: crl 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: predicate: null 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapUserCertRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCrlRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Publishing CRL 10529 to MasterCRL 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: Getting crl publishing rules 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapXCertRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCaCertRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: FileCrlRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: true 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: type: crl 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: predicate: null 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapUserCertRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: - name: LdapCrlRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: PublisherProcessor: enabled: false 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Publishing rules: 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: - rule: FileCrlRule 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: mapper: NoMap 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Publishing to CN=Certificate Authority,O=EXAMPLE.COM 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: - publisher: FileBaseCRLPublisher 2024-03-23 13:42:12 [CRLIssuingPoint-MasterCRL] INFO: CAPublisherProcessor: Published CRL ==> /var/log/pki/pki-tomcat/ca/signedAudit/ca_audit <== 0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=ACCESS_SESSION_ESTABLISH][ClientIP=--][ServerIP=--][SubjectID=CN=IPA RA,O=EXAMPLE.COM][Outcome=Success] access session establish success 0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=AUTH][SubjectID=ipara][Outcome=Success][AuthMgr=certUserDBAuthMgr] authentication success 0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=AUTHZ][SubjectID=ipara][Outcome=Success][aclResource=certServer.ca.crl][Op=update] authorization success 0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=ROLE_ASSUME][SubjectID=ipara][Outcome=Success][Role=Certificate Manager Agents, Registration Manager Agents, Security Domain Administrators, Enterprise ACME Administrators] assume privileged role 0.https-jsse-nio-8443-exec-6 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=SCHEDULE_CRL_GENERATION][SubjectID=ipara][Outcome=Success] schedule for CRL generation 0.https-jsse-nio-8443-exec-7 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=--][ServerIP=--][SubjectID=--][Outcome=Success][Info=serverAlertReceived: CLOSE_NOTIFY] access session terminated 0.https-jsse-nio-8443-exec-7 - [23/Mar/2024:13:42:12 UTC] [14] [6] [AuditEvent=ACCESS_SESSION_TERMINATED][ClientIP=--][ServerIP=--][SubjectID=--][Outcome=Success][Info=serverAlertSent: CLOSE_NOTIFY] access session terminated This may be related to <https://pagure.io/freeipa/issue/9505>. I've not had the chance to test revocation on an ipa server yet. Any other debugging I can do just let me know. -- Sam Morris <https://robots.org.uk/> CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue