search

fedora-infra / aaa-tracker

This project will not host code but will be only used as issue/task tracker for AAA deployment (Fedora/CentOS)
2 stars 2 forks source link

expose a publicly reachable CRL .pem file #14

Closed arrfab closed 3 years ago

arrfab commented 4 years ago

For nodes using TLS/x509 authentication, IPA should create/refresh a CRL (Certifcates Revocation List) and exposes it publicly (a proxypass or something on fasjson, but at least publicly reachable) so that all services using such kind of of authentication can know which certs are revoked and so are denied access

arrfab commented 4 years ago

It's used at various place, like for example https://github.com/CentOS/ansible-role-kojihub/blob/master/tasks/tls.yml#L40

Currently such CRL is publicly available at https://accounts.centos.org/ca/crl.pem (and so retrieved/used by some services, like kojihub )

tiran commented 4 years ago

The CRL DP and OCSP responder addresses are encoded in each certificate. Every IPA server with a CA is CRL distribution and OCSP responder. The CRL master can serve CRLs from disk. All other CA servers have to serve CRLs from LDAP. IPA also creates a ipa-ca.$domain hostname that acts as an alias for all CA servers.

How do you consume CRL? IPA creates a new CRL every three four hours and the CRL is valid for exactly three four hours. Currently CRL validity does not overlap. There is no sliding window.

arrfab commented 4 years ago

Some links given by @tiran

Basically some services (like kojihub) would retrieve it (at init/install time) and then would download/revalidate it (and reload httpd) Our current role uses locally downloaded crl file : https://github.com/CentOS/ansible-role-kojihub/blob/master/templates/httpd/ssl-koji.conf.j2#L32

abbra commented 3 years ago

If you'd do a reverse proxy of ipa-ca.$domain, that might be enough?

tiran commented 3 years ago

I recommend that you reconfigure Dogtag's ca.crl.MasterCRL.nextUpdateGracePeriod and do some sort of caching. Otherwise your reverse proxy might be hitting and overloading a Dogtag server that has to retrieves the CRL from 389-DS all the time.

arrfab commented 3 years ago

sorry, haven't found in the the URL to crl . It seems behind ipa-ca.$domain, but about about URI ?

arrfab commented 3 years ago

Just to confirm that @markobrien1 worked on this and it's available through external URL at https://id.fedoraproject.org/ipa/crl/MasterCRL.bin Closing

tiran commented 3 years ago

Did you configure ca.crl.MasterCRL.nextUpdateGracePeriod on the CRL master?