Bug 1478394 - Sub-CA CRL not contained in /ipa/crl/MasterCRL.bin
Sub-CA CRL not contained in /ipa/crl/MasterCRL.bin
Status: NEW
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: pki-core (Show other bugs)
7.3
x86_64 Unspecified
unspecified Severity unspecified
: rc
: ---
Assigned To: RHCS Maintainers
Asha Akkiangady
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2017-08-04 09:36 EDT by Michael Voetter
Modified: 2017-08-31 02:15 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Michael Voetter 2017-08-04 09:36:39 EDT
Description of problem:
Revoked certificates of the Sub-CA do not show up in the http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin

Version-Release number of selected component (if applicable):
ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

How reproducible:
Setup sub-ca as described in:
http://blog-ftweedal.rhcloud.com/2016/07/lightweight-sub-cas-in-freeipa-4-4/

Steps to Reproduce:
1. Revoke issued certificate with sub-ca (Web UI)
2. wget http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin
3. openssl crl -inform der -in MasterCRL.bin -noout -text

Actual results:
Revoked certificate does not show up.

Expected results:
Revoked certificate should show up.

Additional info:
Comment 2 Rob Crittenden 2017-08-04 09:49:37 EDT
CRLs are updated periodically, every 60 minutes IIRC. Did you wait between step 1 and step 2?
Comment 3 Michael Voetter 2017-08-04 10:24:51 EDT
While trying to figure out when exactly i revoked the certificate I fond the following in /var/log/pki/pki-tomcat/ca/system

0.Thread-34 - [03/Aug/2017:22:54:56 CEST] [8] [3] Publishing: Could not publish certificate serial number 0x1e. Error Failed to publish using rule: No rules enabled
0.Thread-35 - [04/Aug/2017:12:48:49 CEST] [8] [3] Publishing: Could not publish certificate serial number 0x1f. Error Failed to publish using rule: No rules enabled
0.Thread-36 - [04/Aug/2017:13:38:42 CEST] [8] [3] Publishing: Could not publish certificate serial number 0x20. Error Failed to publish using rule: No rules enabled
0.Thread-37 - [04/Aug/2017:14:13:49 CEST] [8] [3] Publishing: No rule can be found for unpublishing: certs request 38
0.Thread-37 - [04/Aug/2017:14:13:49 CEST] [8] [3] Publishing: Could not unpublish certificate serial number 0x1e. Error No Rule instance is matched for request 38.

I have no idea where I can/should add such a (missing) rule but I guess this is causing the problem.

(In reply to Rob Crittenden from comment #2)
> CRLs are updated periodically, every 60 minutes IIRC. Did you wait between
> step 1 and step 2?

I double checked it right now (approximately two hours later) with still the same result.
Comment 4 Rob Crittenden 2017-08-04 10:49:28 EDT
Fraser, is specific configuration needed in dogtag to enable CRLs for sub-CAs?
Comment 5 Fraser Tweedale 2017-08-08 02:08:19 EDT
There is no support yet for Lightweight CA CRLs.
See upstream ticket https://pagure.io/dogtagpki/issue/1627.

OCSP works perfectly for Lightweight CAs.
Comment 6 Fraser Tweedale 2017-08-08 09:28:57 EDT
Michael, how badly do you need CRL for your use case, instead of OCSP?
Comment 7 Michael Voetter 2017-08-10 10:03:48 EDT
I'd need to get a Certificate Revocation List in X.509 CRL format to manually add the CRL to a pfSense box which I use as a VPN gateway. The reason for that manual step is that it's not possible to configure the OpenVPN Server in the 2.3.4-RELEASE of pfSense to force OCSP checks AFAIK.


(In reply to Fraser Tweedale from comment #5)
> There is no support yet for Lightweight CA CRLs.
> See upstream ticket https://pagure.io/dogtagpki/issue/1627.
> 
> OCSP works perfectly for Lightweight CAs.


My cert profile is basically a copy of caIPAserviceCert as I followed the steps described in the blog entry https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

Do I need to modify crlDistPoints entries of that profile as the Sub-CA doesn't support the CRL generation but the respective URL is still present?
Comment 8 Fraser Tweedale 2017-08-10 23:04:27 EDT
Michael, yes, you might want to just remove the CRLDP extension on
the modified profile.

Note You need to log in before you can comment on or make changes to this bug.