1478394 – [RFE] Sub-CA CRL not published in Master CA's CRL

RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.

Bug 1478394 - [RFE] Sub-CA CRL not published in Master CA's CRL

Summary: [RFE] Sub-CA CRL not published in Master CA's CRL

Keywords:
Status:	CLOSED UPSTREAM
Alias:	None
Product:	Red Hat Enterprise Linux 8
Classification:	Red Hat
Component:	pki-core
Sub Component:
Version:	---
Hardware:	x86_64
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	rc
Target Release:	---
Assignee:	RHCS Maintainers
QA Contact:	Asha Akkiangady
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2017-08-04 13:36 UTC by Michael Voetter
Modified:	2023-01-04 14:06 UTC (History)
CC List:	10 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2020-06-26 14:26:37 UTC
Type:	Feature Request
Target Upstream Version:
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	dogtagpki pki issues 2186	0	None	open	Lightweight CAs: add ability to configure CRLs for lightweight CAs	2020-10-21 08:20:06 UTC
Red Hat Issue Tracker	RHELPLAN-34518	0	None	None	None	2023-01-04 14:06:22 UTC

Description Michael Voetter 2017-08-04 13:36:39 UTC

Description of problem:
Revoked certificates of the Sub-CA do not show up in the http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin

Version-Release number of selected component (if applicable):
ipa --version
VERSION: 4.4.0, API_VERSION: 2.213

How reproducible:
Setup sub-ca as described in:
http://blog-ftweedal.rhcloud.com/2016/07/lightweight-sub-cas-in-freeipa-4-4/

Steps to Reproduce:
1. Revoke issued certificate with sub-ca (Web UI)
2. wget http://ipa-ca.$DOMAIN/ipa/crl/MasterCRL.bin
3. openssl crl -inform der -in MasterCRL.bin -noout -text

Actual results:
Revoked certificate does not show up.

Expected results:
Revoked certificate should show up.

Additional info:

Comment 2 Rob Crittenden 2017-08-04 13:49:37 UTC

CRLs are updated periodically, every 60 minutes IIRC. Did you wait between step 1 and step 2?

Comment 3 Michael Voetter 2017-08-04 14:24:51 UTC

While trying to figure out when exactly i revoked the certificate I fond the following in /var/log/pki/pki-tomcat/ca/system

0.Thread-34 - [03/Aug/2017:22:54:56 CEST] [8] [3] Publishing: Could not publish certificate serial number 0x1e. Error Failed to publish using rule: No rules enabled
0.Thread-35 - [04/Aug/2017:12:48:49 CEST] [8] [3] Publishing: Could not publish certificate serial number 0x1f. Error Failed to publish using rule: No rules enabled
0.Thread-36 - [04/Aug/2017:13:38:42 CEST] [8] [3] Publishing: Could not publish certificate serial number 0x20. Error Failed to publish using rule: No rules enabled
0.Thread-37 - [04/Aug/2017:14:13:49 CEST] [8] [3] Publishing: No rule can be found for unpublishing: certs request 38
0.Thread-37 - [04/Aug/2017:14:13:49 CEST] [8] [3] Publishing: Could not unpublish certificate serial number 0x1e. Error No Rule instance is matched for request 38.

I have no idea where I can/should add such a (missing) rule but I guess this is causing the problem.

(In reply to Rob Crittenden from comment #2)
> CRLs are updated periodically, every 60 minutes IIRC. Did you wait between
> step 1 and step 2?

I double checked it right now (approximately two hours later) with still the same result.

Comment 4 Rob Crittenden 2017-08-04 14:49:28 UTC

Fraser, is specific configuration needed in dogtag to enable CRLs for sub-CAs?

Comment 5 Fraser Tweedale 2017-08-08 06:08:19 UTC

There is no support yet for Lightweight CA CRLs.
See upstream ticket https://pagure.io/dogtagpki/issue/1627.

OCSP works perfectly for Lightweight CAs.

Comment 6 Fraser Tweedale 2017-08-08 13:28:57 UTC

Michael, how badly do you need CRL for your use case, instead of OCSP?

Comment 7 Michael Voetter 2017-08-10 14:03:48 UTC

I'd need to get a Certificate Revocation List in X.509 CRL format to manually add the CRL to a pfSense box which I use as a VPN gateway. The reason for that manual step is that it's not possible to configure the OpenVPN Server in the 2.3.4-RELEASE of pfSense to force OCSP checks AFAIK.


(In reply to Fraser Tweedale from comment #5)
> There is no support yet for Lightweight CA CRLs.
> See upstream ticket https://pagure.io/dogtagpki/issue/1627.
> 
> OCSP works perfectly for Lightweight CAs.


My cert profile is basically a copy of caIPAserviceCert as I followed the steps described in the blog entry https://blog-ftweedal.rhcloud.com/2015/08/user-certificates-and-custom-profiles-with-freeipa-4-2/

Do I need to modify crlDistPoints entries of that profile as the Sub-CA doesn't support the CRL generation but the respective URL is still present?

Comment 8 Fraser Tweedale 2017-08-11 03:04:27 UTC

Michael, yes, you might want to just remove the CRLDP extension on
the modified profile.

Comment 9 Matthew Harmsen 2018-07-04 00:27:01 UTC

Moved to RHEL 7.7.

Comment 10 Corey Brown 2019-04-02 15:51:03 UTC

Hi,

I have a case that is getting these exact error messages:
Excerpt from etoltilisdidm03.idm.sgdcelab.sabre.com /var/log/pki/pki-tomcat/system :

0.Thread-13 - [22/Mar/2019:15:36:05 CDT] [8] [3] Publishing: Could not publish certificate serial number 0x4ff90016. Error Failed to publish using rule: No rules enabled
0.Thread-14 - [22/Mar/2019:15:36:35 CDT] [8] [3] Publishing: Could not publish certificate serial number 0x4ff90017. Error Failed to publish using rule: No rules enabled
0.Thread-15 - [22/Mar/2019:15:37:24 CDT] [8] [3] Publishing: Could not publish certificate serial number 0x4ff90018. Error Failed to publish using rule: No rules enabled
0.Thread-16 - [25/Mar/2019:13:45:22 CDT] [8] [3] Publishing: Could not publish certificate serial number 0x4ff90019. Error Failed to publish using rule: No rules enabled

However, the CRL master was moved at the beginning of the upgrade, the customer doesn't believe any new certificates were issued unless they were issued automatically when running `ipa-csreplica-manage set-renewal-master`. The customer doesn't use external CAs, only the self-signed cert that is created when the first server was created.

Is there a workaround for this issue I could provide to the customer?

Corey Brown

Comment 11 Marc Sauton 2019-04-02 17:14:47 UTC

the Publishing messages "Error Failed to publish using rule: No rules enabled" are unrelated.

Comment 12 Dinesh Prasanth 2020-04-28 18:08:35 UTC

Fraser, as per your email on 26 Feb 2020, you wanted to take this over. So, reassigning this bug
to you.

Comment 13 Fraser Tweedale 2020-06-19 10:25:42 UTC

Blog post about this feature and possible approaches to implementation:
https://frasertweedale.github.io/blog-redhat/posts/2020-06-19-dogtag-lightweight-ca-crl.html

Comment 14 Matthew Harmsen 2020-06-26 14:25:12 UTC

(In reply to Fraser Tweedale from comment #13)
> Blog post about this feature and possible approaches to implementation:
> https://frasertweedale.github.io/blog-redhat/posts/2020-06-19-dogtag-
> lightweight-ca-crl.html

Per email with ftweedal from June 19, 2020:

It's a bit of a compliance issue to have certs issued by LWCA
bearning a CRLDP extension that points at a CRL that does not
include the LWCA in its scope.

But how important is the CRL?  Does anyone really need it, or is
OCSP (which is already implemented) enough?

I will blog about the issues and implementation ideas, to transfer
some of that knowledge and identify the challenges/tradeoffs.  But
if there is no customer specifically asking, we can probably close
it, and re-open later if necessary.  But we should document the
current behaviour as a known issue.

https://frasertweedale.github.io/blog-redhat/posts/2020-06-19-dogtag-lightweight-ca-crl.html

Comment 15 Matthew Harmsen 2020-06-26 14:26:37 UTC

Closing - Upstream ticket is https://pagure.io/dogtagpki/issue/1627 -  Lightweight CAs: add ability to configure CRLs for lightweight CAs

Note You need to log in before you can comment on or make changes to this bug.