Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

MasterCRL does not immediatetly publish a new Full CRL when clone CA revokes a certificate. #5011

Open
jmisset-cb opened this issue Mar 21, 2025 · 5 comments
Open

MasterCRL does not immediatetly publish a new Full CRL when clone CA revokes a certificate. #5011

jmisset-cb opened this issue Mar 21, 2025 · 5 comments

Comments

@jmisset-cb
Copy link
Contributor

Summary:
MasterCRL does not immediatetly publish a new Full CRL when clone CA revokes a certificate.

Build:
idm-pki-ca-11.5.1-1.el9.noarch, AlmaLinux 9

Steps to reproduce:
Install pki-ca on a master and a clone instance
Spawn master and then spawn clone, using default settings.

Configure on the CA Master:
ca.crl.MasterCRL.alwaysUpdate=true
ca.listenToCloneModifications=true

And restart the CA instance.

Revoke a certificate on the Clone CA.

Expected Result:
The Master CA processes the certificate status changes, and immediately publishes a new Full CRL.

Actual Result:
The Master CA processes the certificate status changes but does not immediately publish a new Full CRL.

Logs from the Master CA when revocation happens on the Clone, shows that the Certificate status does get updated. However no immediate CRL publishing is done.

2025-03-21 15:46:02 [RetrieveModificationsTask] INFO: RetrieveModificationsTask: dn: cn=222373661916644886824236139590805415197,ou=certificateRepository,ou=ca,dc=pki,dc=example,dc=com
2025-03-21 15:46:02 [RetrieveModificationsTask] INFO: RetrieveModificationsTask: status: REVOKED
2025-03-21 15:46:02 [RetrieveModificationsTask] INFO: CRLIssuingPoint: Adding revoked cert 0xa74b9c03ca3e331dba10afc896fce51d
2025-03-21 15:46:02 [RetrieveModificationsTask] INFO: CRLIssuingPoint: Updating revoked cert 0xa74b9c03ca3e331dba10afc896fce51d

If this is indeed a bug and not working as intended, I wouldn't mind opening a PR for this.
@fmarco76
Copy link
Member

Have you configured like in this workflow: https://github.com/dogtagpki/pki/blob/master/.github/workflows/ca-crl-test.yml#L76

@jmisset-cb
Copy link
Contributor Author

These are all the settings on the Master CA related to CRL:

ca.crl.MasterCRL.allowExtensions=true
ca.crl.MasterCRL.alwaysUpdate=true
ca.crl.MasterCRL.autoUpdateInterval=120
ca.crl.MasterCRL.caCertsOnly=false
ca.crl.MasterCRL.cacheUpdateInterval=15
ca.crl.MasterCRL.class=com.netscape.ca.CRLIssuingPoint
ca.crl.MasterCRL.dailyUpdates=1:00
ca.crl.MasterCRL.description=CA's complete Certificate Revocation List
ca.crl.MasterCRL.enable=true
ca.crl.MasterCRL.enableCRLCache=true
ca.crl.MasterCRL.enableCRLUpdates=true
ca.crl.MasterCRL.enableCacheRecovery=true
ca.crl.MasterCRL.enableCacheTesting=false
ca.crl.MasterCRL.enableDailyUpdates=true
ca.crl.MasterCRL.enableUpdateInterval=true
ca.crl.MasterCRL.extendedNextUpdate=true
ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocation0=
ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessLocationType0=URI
ca.crl.MasterCRL.extension.AuthorityInformationAccess.accessMethod0=caIssuers
ca.crl.MasterCRL.extension.AuthorityInformationAccess.class=com.netscape.cms.crl.CMSAuthInfoAccessExtension
ca.crl.MasterCRL.extension.AuthorityInformationAccess.critical=false
ca.crl.MasterCRL.extension.AuthorityInformationAccess.enable=false
ca.crl.MasterCRL.extension.AuthorityInformationAccess.numberOfAccessDescriptions=1
ca.crl.MasterCRL.extension.AuthorityInformationAccess.type=CRLExtension
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.class=com.netscape.cms.crl.CMSAuthorityKeyIdentifierExtension
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.critical=false
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.enable=true
ca.crl.MasterCRL.extension.AuthorityKeyIdentifier.type=CRLExtension
ca.crl.MasterCRL.extension.CRLNumber.class=com.netscape.cms.crl.CMSCRLNumberExtension
ca.crl.MasterCRL.extension.CRLNumber.critical=false
ca.crl.MasterCRL.extension.CRLNumber.enable=true
ca.crl.MasterCRL.extension.CRLNumber.type=CRLExtension
ca.crl.MasterCRL.extension.CRLReason.class=com.netscape.cms.crl.CMSCRLReasonExtension
ca.crl.MasterCRL.extension.CRLReason.critical=false
ca.crl.MasterCRL.extension.CRLReason.enable=true
ca.crl.MasterCRL.extension.CRLReason.type=CRLEntryExtension
ca.crl.MasterCRL.extension.DeltaCRLIndicator.class=com.netscape.cms.crl.CMSDeltaCRLIndicatorExtension
ca.crl.MasterCRL.extension.DeltaCRLIndicator.critical=true
ca.crl.MasterCRL.extension.DeltaCRLIndicator.enable=false
ca.crl.MasterCRL.extension.DeltaCRLIndicator.type=CRLExtension
ca.crl.MasterCRL.extension.FreshestCRL.class=com.netscape.cms.crl.CMSFreshestCRLExtension
ca.crl.MasterCRL.extension.FreshestCRL.critical=false
ca.crl.MasterCRL.extension.FreshestCRL.enable=false
ca.crl.MasterCRL.extension.FreshestCRL.numPoints=0
ca.crl.MasterCRL.extension.FreshestCRL.pointName0=
ca.crl.MasterCRL.extension.FreshestCRL.pointType0=
ca.crl.MasterCRL.extension.FreshestCRL.type=CRLExtension
ca.crl.MasterCRL.extension.InvalidityDate.class=com.netscape.cms.crl.CMSInvalidityDateExtension
ca.crl.MasterCRL.extension.InvalidityDate.critical=false
ca.crl.MasterCRL.extension.InvalidityDate.enable=true
ca.crl.MasterCRL.extension.InvalidityDate.type=CRLEntryExtension
ca.crl.MasterCRL.extension.IssuerAlternativeName.class=com.netscape.cms.crl.CMSIssuerAlternativeNameExtension
ca.crl.MasterCRL.extension.IssuerAlternativeName.critical=false
ca.crl.MasterCRL.extension.IssuerAlternativeName.enable=false
ca.crl.MasterCRL.extension.IssuerAlternativeName.name0=
ca.crl.MasterCRL.extension.IssuerAlternativeName.nameType0=
ca.crl.MasterCRL.extension.IssuerAlternativeName.numNames=0
ca.crl.MasterCRL.extension.IssuerAlternativeName.type=CRLExtension
ca.crl.MasterCRL.extension.IssuingDistributionPoint.class=com.netscape.cms.crl.CMSIssuingDistributionPointExtension
ca.crl.MasterCRL.extension.IssuingDistributionPoint.critical=true
ca.crl.MasterCRL.extension.IssuingDistributionPoint.enable=false
ca.crl.MasterCRL.extension.IssuingDistributionPoint.indirectCRL=false
ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsCACerts=false
ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlyContainsUserCerts=false
ca.crl.MasterCRL.extension.IssuingDistributionPoint.onlySomeReasons=
ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointName=
ca.crl.MasterCRL.extension.IssuingDistributionPoint.pointType=
ca.crl.MasterCRL.extension.IssuingDistributionPoint.type=CRLExtension
ca.crl.MasterCRL.includeExpiredCerts=false
ca.crl.MasterCRL.minUpdateInterval=0
ca.crl.MasterCRL.nextUpdateGracePeriod=1320
ca.crl.MasterCRL.publishOnStart=false
ca.crl.MasterCRL.saveMemory=false
ca.crl.MasterCRL.signingAlgorithm=SHA256withRSA
ca.crl.MasterCRL.startingCrlNumber=0
ca.crl.MasterCRL.unexpectedExceptionLoopMax=10
ca.crl.MasterCRL.unexpectedExceptionWaitTime=30
ca.crl.MasterCRL.updateSchema=1
dbs.replicaCloneTransferNumber=5
ca.crl.MasterCRL.nextAsThisUpdateExtension=120
ca.crl.MasterCRL.includeExpiredCertsOneExtraTime=true
ca.listenToCloneModifications=true
ca.certStatusUpdateInterval=600

I've updated the ca.certStatusUpdateInterval from 600 to 60 as in the workflow, but that does not resolve the issue.

@fmarco76
Copy link
Member

After the interval or with the update service does get CRL updated?

@jmisset-cb
Copy link
Contributor Author

Yes, in those cases the CRL does get updated.

@fmarco76
Copy link
Member

In this case the problem seems more related to configuration but to be verified

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@fmarco76 @jmisset-cb