#9569 ipa-crlgen-manage should unset ca.certStatusUpdateInterval on enable
Closed: fixed 9 months ago by frenaud. Opened 9 months ago by rcritten.

Issue

Cloned from https://issues.redhat.com/browse/RHEL-30280

Summary

PKI will not generate a CRL when ca.certStatusUpdateInterval == 0. This is the default for a server not marked as the CRL generator. ipa-crlgen-manage should ensure that this value is not set in CS.cfg when enabling the other options.

Otherwise the CRL will be generated but marking certificates as EXPIRED will not occur.

The reason for only marking certificates as expired on a single server is to avoid duplicate work and potential replication issues.


Metadata Update from @rcritten:
- Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-30280

9 months ago

Metadata Update from @rcritten:
- Issue assigned to rcritten

9 months ago

IPA isn't setting ca.certStatusUpdateInterval during a replica install. This value is added by the PKi installer.

Which also means that when ipa-crlgen-manage disable is run we should set this value to 0 to prevent the former generator from calculating cert status.

Turns out I ran into this issue a long time ago and made some notes about it.

My first server was called ipa0. I later added ipa2 to the topology and ran 'ipa-crlgen-manage' on it.

According to my notes, after doing this there were still the following config differences between ipa0 and ipa2:

ca.certStatusUpdateInterval
ipa0: unset
ipa2: 0

ca.listenToCloneModifications
ipa0: true
ipa2: false

master.ca.agent.host
ipa0: unset
ipa2: ipa0.example.com

master.ca.agent.port
ipa0: unset
ipa2: 443

I wonder if ipa-crlgen-manage should also manage ca.listenToCloneModifications as well as ca.certStatusUpdateInterval? That way, setting a server as the CRL generator will line all the settings up with what would be set on the first server of a freshly installed domain:

https://github.com/freeipa/freeipa/blob/d16c34997f2223bd3f3d00a734c3372552bd8863/ipaserver/install/cainstance.py#L1020

Yes, ca.listenToCloneModifications should follow the enable/disable status of CRL generation on a server.

master:

  • f78d25f ipa-crlgen-manage: manage the cert status task execution time

ipa-4-11:

  • 6716687 ipa-crlgen-manage: manage the cert status task execution time

ipa-4-10:

  • d50928f ipa-crlgen-manage: manage the cert status task execution time

ipa-4-9:

  • 74791ea ipa-crlgen-manage: manage the cert status task execution time

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)

9 months ago

Log in to comment on this ticket.

Metadata