pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2015-05-04 20:18:14
Per CS/DS meeting of 05/04/2015: 10.3
Open pki-bot opened 4 years ago
pki-bot
commented
4 years ago Comment from mharmsen (@mharmsen) at 2015-05-04 20:18:14
Per CS/DS meeting of 05/04/2015: 10.3
pki-bot
commented
4 years ago Comment from jmagne (@jmagne) at 2017-02-27 13:58:22
Metadata Update from @jmagne:
This issue was migrated from Pagure Issue #1362. Originally filed by jmagne (@jmagne) on 2015-05-01 18:55:37:
This is based on observations when working on another ticket.
Create a CA
Create a master OCSP, this results in the installer procedure registering this CRL as a publisher within the CA.
Perform pkidestroy on the the OCSP.
Based upon my observations, the now deceased OCSP is still listed in the config as a publisher and the publishing rule is still active.
Additional info:
I actually tried the following scenario by creating and deleting an outboard OCSP. The following occurred:
01/May/2015:09:50:38][CRLIssuingPoint-MasterCRL]: Publish CRL [01/May/2015:09:50:38][CRLIssuingPoint-MasterCRL]: OCSPPublisher: Host='localhost.localdomain' Port='8443' URL='/ocsp/agent/ocsp/addCRL' [01/May/2015:09:50:38][CRLIssuingPoint-MasterCRL]: OCSPPublisher: start CRL sending startTime=1430499038798 [01/May/2015:09:50:38][CRLIssuingPoint-MasterCRL]: OCSPPublisher: done CRL sending endTime=1430499038798 diff=0 [01/May/2015:09:51:38][CRLIssuingPoint-MasterCRL]: CRL published.
At least the debug log is not reporting the failure, some other one may I need to check.
At the very least though, the CA should not have to even attempt to publish to defunct publishing targets for the CRL, at the very minimum , if we want to preserve the entry in the name of non destructive behavior, we disable the publisher and re-enable it later if it gets re-added in the future.