Uploaded image for project: 'RHEL'
  1. RHEL
  2. RHEL-30280

ipa-crlgen-manage should unset ca.certStatusUpdateInterval on enable

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • None
    • rhel-8.9.0
    • ipa
    • Major
    • sst_idm_ipa
    • ssg_idm
    • 3
    • False
    • Hide

      None

      Show
      None
    • Red Hat Enterprise Linux
    • 2024-Q2-Bravo-S1, 2024-Q2-Bravo-S2, 2024-Q2-Bravo-S3
    • Unspecified

      What were you trying to do that didn't work?

      I've got an IPA domain with three servers. All three IPA servers have the CA server role.

      I've recently revoked two certificates, but their serial numbers are not present in the CA's certificate revocation list (CRL).

      Upstream mailing list thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/DL3HTLSR446OAMM5HT5RUQMIL4DHNXOE/

      Please provide the package NVR for which bug is seen:

      idm-pki-ca-10.14.3-1.module+el8.8.0+18059+6d4394a9.noarch

      How reproducible:

      Ongoing on my domain.

      Steps to reproduce

      1. On the current CRL generation server, examine the current CRL with {
        Unknown macro: {openssl crl -in /var/lib/ipa/pki-ca/publish/MasterCRL.bin -inform der -noout -text}

        }

      2. Note the last/next update dates indicate the CRL is freshly generated

      Expected results

      The serial numbers of the revoked (but not expired) certificates should be listed.

      Actual results

      The serial numbers of the revoked (but not expired) certificates are not listed.

      There is one serial number listed of a certificate that expired in July 2022.

            rhn-engineering-rcrit Rob Crittenden
            staticyrro7 Sam Morris
            Florence Renaud Florence Renaud
            IPA QE Bot IPA QE Bot
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated: