I have to retire the IPA server that was functioning as my CA Master. Per the instructions from Red Hat (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/server-roles) Section 6.5.2 "Promoting a Replica to a Master CA Server", I changed the CA Renewal Master, disabled CRL generation on the original Master, and configured the new CA Master to generate CRLs. After restarting services, the MasterCRL.bin file does not exist as expected.
CRL is not generated.
MasterCRL.bin file should be generated immediately on new CA Master.
$ rpm -q freeipa-server freeipa-client ipa-server ipa-client 389-ds-base pki-ca krb5-server ipa-server-4.6.4-10.el7.centos.6.x86_64 ipa-client-4.6.4-10.el7.centos.6.x86_64 389-ds-base-1.3.8.4-25.1.el7_6.x86_64 pki-ca-10.5.9-13.el7_6.noarch krb5-server-1.15.1-37.el7_6.x86_64
I'm hoping that this is just impatience on my part and that the CRL will be generated per the default 4-hour interval; however, I can't help but think that upon being promoted to Master, a CA server should check to see if the MasterCRL.bin file exists locally, and if not, trigger an automatic CRL generation so that the promotion to Master CA Server can be validated more quickly. If what I'm experiencing is the expected behavior, then perhaps this could end up as an enhancement...
Hi @mpreissner the CRL generation will happen after the default 4 hour interval (as set in /etc/pki/pki-tomcat/ca/CS.cfg with the param ca.crl.MasterCRL.autoUpdateInterval=240).
/etc/pki/pki-tomcat/ca/CS.cfg
If you upgrade to ipa 4.6.5, there is a new tool called ipa-crlgen-manage that is able to automate the manual steps that you did to transfer the CRL generation to a new server. This tool also forces the immediate generation of a CRL on the new CRL generation master. Please see issue #5803.
ipa-crlgen-manage
Metadata Update from @frenaud: - Issue close_status updated to: duplicate - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.