search

dlgroep / fetch-crl

The fetch-crl utility will retrieve certificate revocation lists (CRLs) for a set of installed trust anchors, based on crl_url files or IGTF-style info files. It will install these for use with OpenSSL, NSS or third-party tools.
https://www.nikhef.nl/pdp/fetchcrl3/
Apache License 2.0
6 stars 0 forks source link

RHEL9: fetch-crl-boot.service failed #5

Open ggrein opened 1 month ago

ggrein commented 1 month ago

On my RHEL9 servers starting the fetch-crl-boot.service fails with error "Failed to start LSB".

Service fetch-crl-cron is running properly: systemd[1]: Starting LSB: Run the certificate revocation lists update periodically via cron fetch-crl-cron[1361]: Enabling periodic fetch-crl: [ OK ] systemd[1]: Started LSB: Run the certificate revocation lists update periodically via cron

How can I fix this?

dlgroep commented 1 month ago

Which distribution packaging source are you using for fetch-crl? The systemd unit files are added in EPEL (and maybe Debian) packaging by the package maintainers, and not part of the fetch-crl source itself. So the fault may then lie with the EPEL package. But some more details, like the output of journalcrl -xe, would be helpful :)

ggrein commented 1 month ago

Hi David,

I use version 3.0.23-1 from https://dist.eugridpma.info/distribution/util/fetch-crl/

Here is the output of journalctl -xe after trying to start fetcht-crl-boot:

May 27 08:06:33 test-cn-rh9.ggus.eu systemd[1]: Starting LSB: Run of fetch-crl, a crl updater, on boot>

░░ Subject: A start job for unit fetch-crl-boot.service has begun execution

░░ Defined-By: systemd

░░ Support: https://access.redhat.com/support

░░

░░ A start job for unit fetch-crl-boot.service has begun execution.

░░

░░ The job identifier is 139516.

May 27 08:06:35 test-cn-rh9.ggus.eu fetch-crl-boot[764690]: Running fetch-crl on boot:

May 27 08:06:35 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for ArmeSFo/>

May 27 08:06:41 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for DigiCert>

May 27 08:06:48 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for IHEP-201>

May 27 08:06:51 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for LIPCA/0 >

May 27 08:06:52 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for MARGI/0 >

May 27 08:06:58 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for PK-Grid->

May 27 08:07:03 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for RDIG/0 (>

May 27 08:07:04 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for Romanian>

May 27 08:07:04 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for SRCE/0 (>

May 27 08:07:05 test-cn-rh9.ggus.eu fetch-crl-boot[764694]: ERROR CRL verification failed for TRGrid/0>

May 27 08:07:11 test-cn-rh9.ggus.eu fetch-crl-boot[764690]: [FAILED]

May 27 08:07:11 test-cn-rh9.ggus.eu systemd[1]: fetch-crl-boot.service: Control process exited, code=e>

░░ Subject: Unit process exited

░░ Defined-By: systemd

░░ Support: https://access.redhat.com/support

░░

░░ An ExecStart= process belonging to unit fetch-crl-boot.service has exited.

░░

░░ The process' exit code is 'exited' and its exit status is 1.

May 27 08:07:11 test-cn-rh9.ggus.eu systemd[1]: fetch-crl-boot.service: Failed with result 'exit-code'.

░░ Subject: Unit failed

░░ Defined-By: systemd

░░ Support: https://access.redhat.com/support

░░

░░ The unit fetch-crl-boot.service has entered the 'failed' state with result 'exit-code'.

May 27 08:07:11 test-cn-rh9.ggus.eu systemd[1]: Failed to start LSB: Run of fetch-crl, a crl updater, >

░░ Subject: A start job for unit fetch-crl-boot.service has failed

░░ Defined-By: systemd

░░ Support: https://access.redhat.com/support

░░

░░ A start job for unit fetch-crl-boot.service has finished with a failure.

░░

░░ The job identifier is 139516 and the job result is failed.

May 27 08:07:11 test-cn-rh9.ggus.eu systemd[1]: fetch-crl-boot.service: Consumed 5.750s CPU time.

░░ Subject: Resources consumed by unit runtime

░░ Defined-By: systemd

░░ Support: https://access.redhat.com/support

░░

░░ The unit fetch-crl-boot.service completed and consumed the indicated resources.

Regards,

Guenter

Von: David Groep @.> Gesendet: Sonntag, 26. Mai 2024 18:31 An: dlgroep/fetch-crl @.> Cc: Grein, Günter (SCC) @.>; Author @.> Betreff: Re: [dlgroep/fetch-crl] RHEL9: fetch-crl-boot.service failed (Issue #5)

Which distribution packaging source are you using for fetch-crl? The systemd unit files are added in EPEL (and maybe Debian) packaging by the package maintainers, and not part of the fetch-crl source itself. So the fault may then lie with the EPEL package. But some more details, like the output of journalcrl -xe, would be helpful :)

— Reply to this email directly, view it on GitHub https://github.com/dlgroep/fetch-crl/issues/5#issuecomment-2132278508 , or unsubscribe https://github.com/notifications/unsubscribe-auth/AWNQSQ2ZY7CGAHAKYSXPYQ3ZEIE4ZAVCNFSM6AAAAABIBANQNGVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDCMZSGI3TQNJQHA . You are receiving this because you authored the thread. https://github.com/notifications/beacon/AWNQSQZPZV5TV7BW74RLLMTZEIE4ZA5CNFSM6AAAAABIBANQNGWGG33NNVSW45C7OR4XAZNMJFZXG5LFINXW23LFNZ2KUY3PNVWWK3TUL5UWJTT7C76OY.gif Message ID: @. @.> >