= phenomenon =
Last night people started getting errors trying to do authenticated actions with koji (https://koji.fedoraproject.org/koji, building, etc).
Tracked it down to this log message on koji01: {{{ [Tue Jan 18 09:29:36 2011] [warn] Found CRL is expired - revoking all certificates until you get updated CRL [Tue Jan 18 09:29:36 2011] [error] Certificate Verification: Error (12): CRL has expired }}}
Looking at the crl on fas01, it hadn't been updated in a month. I tried to regenerate as the apache user but that failed (I think it failed to read the Makefile as the error was: {{{ [root@fas01 fedora-ca]# sudo -u apache /usr/bin/make gencrl make: *** No rule to make target `gencrl'. Stop }}}
I turned off selinux and tried again and got the same error. Then ran make gencrl as root and the crl was successfully updated. Turned selinux back on afterwards.
At this point we should have an updated crl to last us another month but if you could look into why the crl isn't being generated automatically that would be a big help. Thanks.
Back on RHEL5, we had some very strange permission issues that required gencrl to be run as the apache user. I just switched it to run daily as the fas user, so we should take a look tonight to make sure that it runs fine.
This is confirmed fixed now.
Login to comment on this ticket.