The directory where IPA PKI publishes CRL (/var/lib/ipa/pki-ca/publish/) gets wrong ownership after freeipa-server package reinstall which leads to PKI not being able to update CRL in this directory:
/var/lib/ipa/pki-ca/publish/
# ls -la /var/lib/ipa/pki-ca/publish/ total 244 drwxr-xr-x. 2 root pkiuser 12288 May 17 04:49 . <<< owned by pkiuser group drwxr-xr-x. 3 root root 4096 May 17 04:49 .. ... -rw-rw-r--. 1 pkiuser pkiuser 414 May 17 01:00 MasterCRL-20130517-010000.der lrwxrwxrwx. 1 pkiuser pkiuser 57 May 17 01:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der
/var/lib/ipa/pki-ca/publish/ changes when freeipa-server package gets reinstalled or updated:
# yum reinstall freeipa-server ... # ls -la /var/lib/ipa/pki-ca/publish/ total 244 drwxr-xr-x. 2 root root 12288 May 17 04:49 . <<< owned by root drwxr-xr-x. 3 root root 4096 May 17 04:49 .. ... -rw-rw-r--. 1 pkiuser pkiuser 414 May 17 01:00 MasterCRL-20130517-010000.der lrwxrwxrwx. 1 pkiuser pkiuser 57 May 17 01:00 MasterCRL.bin -> /var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der
PKI then logs errors like these:
/var/log/pki-ca/system ... 1585.CRLIssuingPoint-MasterCRL - [13/Jun/2013:21:00:00 EDT] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20130613-210000.temp (Permission denied) 1585.CRLIssuingPoint-MasterCRL - [14/Jun/2013:01:00:00 EDT] [20] [3] FileBasedPublisher: java.io.FileNotFoundException: /var/lib/ipa/pki-ca/publish/MasterCRL-20130614-010000.temp (Permission denied)
Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=975431
Seems like ticket is in the wrong bucket.
Replying to [comment:5 dpal]:
It shouldn't be - this is intended to be fixed in FreeIPA 3.2.2 bugfixing release.
master:[[BR]] 7a10560 Change group ownership of CRL publish directory[[BR]]
ipa-3-2:[[BR]] 1a5daf0 Change group ownership of CRL publish directory[[BR]]
Metadata Update from @mkosek: - Issue assigned to tbabej - Issue set to the milestone: FreeIPA 3.2.x - 2013/07 (bug fixing)
Login to comment on this ticket.