Enterprise Identity Management (IdM) PKI Cannot Publish CRL After Upgrade to Red Hat Enterprise Linux 6.4/IdM 3.0

Solution Unverified - Updated -

Issue

  • The directory where IdM PKI publishes the CRL (/var/lib/ipa/pki-ca/publish/) gets incorrect ownership after the ipa-server package is updated or reinstalled, which leads to PKI not being able to update CRL in this directory:
# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root pkiuser 12288 May 17 04:49 .     <<< owned by pkiuser group
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

/var/lib/ipa/pki-ca/publish/ changes when freeipa-server package gets reinstalled or updated:

# yum reinstall ipa-server

# ls -la /var/lib/ipa/pki-ca/publish/
total 244
drwxr-xr-x. 2 root    root    12288 May 17 04:49 .     <<< owned by root
drwxr-xr-x. 3 root    root     4096 May 17 04:49 ..
...
-rw-rw-r--. 1 pkiuser pkiuser   414 May 17 01:00 MasterCRL-20130517-010000.der
lrwxrwxrwx. 1 pkiuser pkiuser    57 May 17 01:00 MasterCRL.bin ->
/var/lib/ipa/pki-ca/publish/MasterCRL-20130517-010000.der

Environment

  • Red Hat Enterprise Linux 6.4
  • Enterprise Identity Management 3.0

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.