/var/lib/ipa/pki-ca/publish/ directory contains CRLs published by PKI (Dogtag). However, PKI published CRL content in this directory every 4 hours (even though it has the same content) which may lead to thousands same CRL files being stored in this directory.
/var/lib/ipa/pki-ca/publish/
We should investigate if the PKI is configured correctly or if there is some kind of clean up that should be run regularly to clean this directory.
There is also a bug of CRL errors in PKI system log (/var/log/pki/pki-tomcat/ca/system) which may be related:
/var/log/pki/pki-tomcat/ca/system
1139.Thread-15 - [17/Jun/2013:15:47:56 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x7. Error Failed to publish using rule: No rules enabled 1139.Thread-16 - [17/Jun/2013:15:48:02 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x8. Error Failed to publish using rule: No rules enabled 1612.Thread-14 - [17/Jun/2013:15:50:10 EDT] [8] [3] Publishing: Could not publish certificate serial number 0x9. Error Failed to publish using rule: No rules enabled 1612.Thread-15 - [17/Jun/2013:15:50:36 EDT] [8] [3] Publishing: Could not publish certificate serial number 0xa. Error Failed to publish using rule: No rules enabled
I already discussed this Nathan, it would be great if somebody from PKI could chime in and help us verify the configuration. Assigning to Ade for starters.
A CRL may not contain new revocations but each file is different. Each CRL has a creation time stamp and the time stamp of the next update. Revocations and timestamps are signed. The signed timestamps allow clients to detect denial-of-service and replay attacks. Otherwise an attacker could just serve a CRL indefinitely.
# pwd /var/lib/ipa/pki-ca/publish # sha256sum MasterCRL-20160405-1* 670293f7f222c5afcb9c0e9f8919fc08c8e63e792360e6e1acf3a6eeb5afb4eb MasterCRL-20160405-130000.der 005e5f5e65a27a5466cdaa343dd831a0301b7f9a4e88ad585319f6d1f9baa740 MasterCRL-20160405-170000.der # openssl crl -in MasterCRL-20160405-130000.der -inform der -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /O=IPA.EXAMPLE/CN=Certificate Authority Last Update: Apr 5 13:00:00 2016 GMT Next Update: Apr 5 17:00:00 2016 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:6E:DA:89:85:93:5D:EE:20:F4:48:4B:C2:D1:7F:C5:65:9F:BA:75:C6 X509v3 CRL Number: 10 No Revoked Certificates. Signature Algorithm: sha256WithRSAEncryption 1f:5c:5e:1c:a1:72:19:08:20:b4:0d:eb:eb:a5:6c:02:32:b9: 09:84:18:e5:d7:a9:d6:97:ef:15:01:01:c3:31:af:1f:55:b1: 15:6e:b2:f8:01:dd:31:9c:2f:87:0e:96:b1:cc:5e:d8:1e:18: d3:82:46:1b:ad:df:d2:6b:61:2e:9c:24:ac:6c:ca:2a:95:9d: bf:fc:cb:22:7b:53:9d:82:09:4e:9f:a6:12:ec:89:c6:a7:68: 21:44:fc:22:ad:d5:16:ba:0a:40:fb:29:40:25:9a:f5:0d:a6: 96:f2:96:07:6e:62:4e:dc:50:dc:57:0f:8b:30:a5:5c:fd:ff: 25:1b:45:f1:ca:9c:47:1c:9d:1b:8f:cf:db:76:79:e4:27:18: 9c:27:3e:92:e5:52:61:7c:d3:2a:2e:18:10:f4:e5:fd:2b:86: 42:19:1f:df:36:e9:5e:55:89:be:af:5b:92:8a:65:18:b9:a2: 8c:3b:bf:50:9b:e4:e0:91:4f:35:89:a0:20:40:fa:bb:16:44: 32:6b:99:0e:cc:7f:a5:4b:4e:dc:df:b7:3f:0d:bd:d9:4b:ec: 6f:30:3c:51:d2:39:9e:60:1c:93:19:7b:82:71:82:0d:22:23: c5:25:b0:4a:c1:2c:2e:40:ea:09:05:21:70:7b:12:bb:01:a5: 10:aa:6b:89 # openssl crl -in MasterCRL-20160405-170000.der -inform der -text -noout Certificate Revocation List (CRL): Version 2 (0x1) Signature Algorithm: sha256WithRSAEncryption Issuer: /O=IPA.EXAMPLE/CN=Certificate Authority Last Update: Apr 5 17:00:00 2016 GMT Next Update: Apr 5 21:00:00 2016 GMT CRL extensions: X509v3 Authority Key Identifier: keyid:6E:DA:89:85:93:5D:EE:20:F4:48:4B:C2:D1:7F:C5:65:9F:BA:75:C6 X509v3 CRL Number: 11 No Revoked Certificates. Signature Algorithm: sha256WithRSAEncryption 27:3e:ea:03:10:5b:d4:9f:7b:90:cf:3e:f5:92:1a:72:ff:78: c8:da:98:34:1f:7a:88:22:78:c0:6c:eb:87:c2:0a:c1:ba:cd: 4f:11:21:4b:e2:c0:ae:7a:70:28:95:fe:bd:d0:92:c0:fd:48: 13:d0:d1:5a:5e:a3:c9:25:19:b7:14:4c:91:80:ee:67:05:a1: 45:17:d5:7f:b8:6d:be:07:78:04:e8:91:92:2a:96:60:32:2f: cc:00:2e:96:f0:85:48:1e:47:6c:45:a4:f1:98:f6:5e:d3:03: 53:80:73:44:18:25:47:ef:45:08:f6:23:39:9d:ca:7a:d9:d2: d6:a2:d1:86:d2:b3:b2:f1:7d:b8:13:d2:15:ab:8b:28:da:d6: 96:22:ee:80:53:93:9b:da:23:12:4f:9d:21:a3:c5:0c:9b:41: cc:fc:83:32:3d:d8:fb:e1:e1:cc:9d:6a:b0:2e:b9:07:0c:72: 9d:c9:a2:67:56:8f:96:db:0f:2d:83:b4:e3:1e:d7:92:8f:e3: fb:37:cc:5b:2f:9e:2c:ed:8e:4c:c1:3a:07:02:23:3d:45:99: 34:4d:ee:c9:f9:74:f9:6c:42:12:a1:6a:b1:47:6a:2a:b1:08: 4e:db:e2:87:2d:48:2c:37:0a:85:dd:9c:a8:0d:bf:01:ce:54: c3:4d:43:50
A proposed a CRL cleanup feature for FileBaseCRLPublisher, https://fedorahosted.org/pki/ticket/2274
This report is about two different issues:
CRL publishing and a missing option to trim old CRLs. This is now addressed in the following ticket: https://fedorahosted.org/pki/ticket/2254
The second issue is about certificate publishing in IPA, which is addressed here: https://fedorahosted.org/pki/ticket/2275
I think we can close this ticket.
Ignore last comment. This ticket is against IPA not PKI. Probably better to keep it until in case some work is required in IPA.
But still important to keep in mind that we have two different issues described here.
Metadata Update from @mkosek: - Issue assigned to vakwetu - Issue set to the milestone: Future Releases
Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.
Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.
Metadata Update from @rcritten: - Issue close_status updated to: wontfix - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.