-
Bug
-
Resolution: Done-Errata
-
Undefined
-
rhel-8.9.0
-
ipa-4.9.13-12.module+el8.10.0+22138+e77d88cf
-
None
-
Important
-
8
-
rhel-sst-idm-ipa
-
ssg_idm
-
3
-
Dev ack
-
False
-
-
No
-
Red Hat Enterprise Linux
-
2024-Q2-Bravo-S1, 2024-Q2-Bravo-S2, 2024-Q2-Bravo-S3, 2024-Q2-Bravo-S4, 2024-Q2-Bravo-S6, 2024-Q3-Bravo-S1, 2024-Q3-Bravo-S2, 2024-Q3-Bravo-S3
-
Pass
-
Automated
-
Unspecified Release Note Type - Unknown
-
Unspecified
-
None
What were you trying to do that didn't work?
I've got an IPA domain with three servers. All three IPA servers have the CA server role.
I've recently revoked two certificates, but their serial numbers are not present in the CA's certificate revocation list (CRL).
Upstream mailing list thread: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org/thread/DL3HTLSR446OAMM5HT5RUQMIL4DHNXOE/
Please provide the package NVR for which bug is seen:
idm-pki-ca-10.14.3-1.module+el8.8.0+18059+6d4394a9.noarch
How reproducible:
Ongoing on my domain.
Steps to reproduce
- On the current CRL generation server, examine the current CRL with {
Unknown macro: {openssl crl -in /var/lib/ipa/pki-ca/publish/MasterCRL.bin -inform der -noout -text}
}
- Note the last/next update dates indicate the CRL is freshly generated
Expected results
The serial numbers of the revoked (but not expired) certificates should be listed.
Actual results
The serial numbers of the revoked (but not expired) certificates are not listed.
There is one serial number listed of a certificate that expired in July 2022.
- links to
-
RHBA-2024:136628
idm:DL1 and idm:client bug fix update
