Cloned from https://issues.redhat.com/browse/RHEL-30280
Summary
PKI will not generate a CRL when ca.certStatusUpdateInterval == 0. This is the default for a server not marked as the CRL generator. ipa-crlgen-manage should ensure that this value is not set in CS.cfg when enabling the other options.
Otherwise the CRL will be generated but marking certificates as EXPIRED will not occur.
The reason for only marking certificates as expired on a single server is to avoid duplicate work and potential replication issues.
Metadata Update from @rcritten: - Custom field rhbz adjusted to https://issues.redhat.com/browse/RHEL-30280
Metadata Update from @rcritten: - Issue assigned to rcritten
IPA isn't setting ca.certStatusUpdateInterval during a replica install. This value is added by the PKi installer.
Which also means that when ipa-crlgen-manage disable is run we should set this value to 0 to prevent the former generator from calculating cert status.
PR https://github.com/freeipa/freeipa/pull/7317
Turns out I ran into this issue a long time ago and made some notes about it.
My first server was called ipa0. I later added ipa2 to the topology and ran 'ipa-crlgen-manage' on it.
According to my notes, after doing this there were still the following config differences between ipa0 and ipa2:
ca.certStatusUpdateInterval ipa0: unset ipa2: 0
ca.listenToCloneModifications ipa0: true ipa2: false
master.ca.agent.host ipa0: unset ipa2: ipa0.example.com
master.ca.agent.port ipa0: unset ipa2: 443
I wonder if ipa-crlgen-manage should also manage ca.listenToCloneModifications as well as ca.certStatusUpdateInterval? That way, setting a server as the CRL generator will line all the settings up with what would be set on the first server of a freshly installed domain:
ipa-crlgen-manage
ca.listenToCloneModifications
ca.certStatusUpdateInterval
https://github.com/freeipa/freeipa/blob/d16c34997f2223bd3f3d00a734c3372552bd8863/ipaserver/install/cainstance.py#L1020
Yes, ca.listenToCloneModifications should follow the enable/disable status of CRL generation on a server.
master:
ipa-4-11:
ipa-4-10:
ipa-4-9:
Metadata Update from @frenaud: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Log in to comment on this ticket.