You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Hendrik Harms <he...@gmail.com> on 2022/03/31 16:52:55 UTC
[users@httpd] SSLCARevocationPath CRLs not reloaded after update
Hi httpd users,
I only want to allow clients to log in with a valid certificate that has
not been revoked.
For this I wrote a small bash script to download the CRL of each CA I've
configured in the ca-bundle.crt, convert it into PEM format and create the
required hash symlinks.
httpd-2.4.52
openssl-1.1.1m
<VirtualHost _default_:8443>
...
SSLCACertificateFile "/etc/httpd/ca-bundle.crt"
SSLEngine on
SSLProtocol TLSv1.2
...
SSLCARevocationPath "/var/httpd/crl/"
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 3
...
</VirtualHost>
The setup ran properly, but after a few days of uptime I got errors like
this
[2022-03-30 17:10:00.807034] [ssl:error] [C:W5J48KAelwE] AH02039:
Certificate Verification: Error (12): CRL has expired
The CRLs and symlinks in my crl directory were up to date. But the httpd
did not read them after they were updated. So the httpd runs into the
expiration date of the old CRLs.
Searching for this problem I found this old entry in the bugzilla:
https://bz.apache.org/bugzilla/show_bug.cgi?id=14104
Does the problem of httpd-2.0.x still resists in httpd-2.4.x or do I have a
misconfiguration in my setup?
From my point of view there are two possible workarounds but both are not
very nice:
A) restart gracefully the httpd after updating the CRL files
B) set MaxConnectionsPerChild on a small value.
regards,
Hendrik
--
----------------------------------------------------------
Hendrik Harms
mail: hendrik.harms@gmail.com
[users@httpd] Re: SSLCARevocationPath CRLs not reloaded after update
Posted by Hendrik Harms <he...@gmail.com>.
Hi John,
restarting graceful after updating a CRL file was already one of my
options. But I hoped that there is a more elegant way to refresh the lists
of revoked certificates.
So the best workaround is still to add the graceful restart to my script
which loads the CRLs onto my server. :-(
Thanks,
Hendrik
Am Do., 31. März 2022 um 19:01 Uhr schrieb Orendt, John:
> Hi
>
>
>
> After updating the CRL files. If there is a change in the CRL files then
> restart gracefully the httpd.
>
>
>
> You need to check and compare periodically.
>
>
>
> John Orendt
>
>
>
> *From:* Hendrik Harms <he...@gmail.com>
> *Sent:* Thursday, March 31, 2022 12:53 PM
> *To:* users@httpd.apache.org
> *Subject:* [EXTERNAL] [users@httpd] SSLCARevocationPath CRLs not reloaded
> after update
>
>
>
> Hi httpd users,
>
>
>
> I only want to allow clients to log in with a valid certificate that has
> not been revoked.
> For this I wrote a small bash script to download the CRL of each CA I've
> configured in the ca-bundle.crt, convert it into PEM format and create the
> required hash symlinks.
>
>
>
> httpd-2.4.52
> openssl-1.1.1m
> <VirtualHost _default_:8443>
> ...
> SSLCACertificateFile "/etc/httpd/ca-bundle.crt"
> SSLEngine on
> SSLProtocol TLSv1.2
> ...
> SSLCARevocationPath "/var/httpd/crl/"
> SSLCARevocationCheck chain
> SSLVerifyClient require
> SSLVerifyDepth 3
> ...
> </VirtualHost>
>
> The setup ran properly, but after a few days of uptime I got errors like
> this
> [2022-03-30 17:10:00.807034] [ssl:error] [C:W5J48KAelwE] AH02039:
> Certificate Verification: Error (12): CRL has expired
>
>
> The CRLs and symlinks in my crl directory were up to date. But the httpd
> did not read them after they were updated. So the httpd runs into the
> expiration date of the old CRLs.
> Searching for this problem I found this old entry in the bugzilla:
> https://bz.apache.org/bugzilla/show_bug.cgi?id=14104
> <https://urldefense.com/v3/__https:/bz.apache.org/bugzilla/show_bug.cgi?id=14104__;!!NFcUtLLUcw!AXycYFzGPRjGt9hiqYGX3ZJRclH_e-Xu-HNIhdl093VZ8QOkJMLdfOqTirmULTkbA6Zb7g$>
>
> Does the problem of httpd-2.0.x still resists in httpd-2.4.x or do I have
> a misconfiguration in my setup?
>
>
> From my point of view there are two possible workarounds but both are not
> very nice:
> A) restart gracefully the httpd after updating the CRL files
> B) set MaxConnectionsPerChild on a small value.
>
>
>
> regards,
>
> Hendrik
>
>
> --
>
> ----------------------------------------------------------
> Hendrik Harms
>
[users@httpd] RE: [EXTERNAL] [users@httpd] SSLCARevocationPath CRLs not reloaded after update
Posted by "Orendt, John" <jo...@medtronic.com.INVALID>.
Hi
After updating the CRL files. If there is a change in the CRL files then restart gracefully the httpd.
You need to check and compare periodically.
John Orendt
John.p.orendt@medtronic.com
From: Hendrik Harms <he...@gmail.com>
Sent: Thursday, March 31, 2022 12:53 PM
To: users@httpd.apache.org
Subject: [EXTERNAL] [users@httpd] SSLCARevocationPath CRLs not reloaded after update
Hi httpd users,
I only want to allow clients to log in with a valid certificate that has not been revoked.
For this I wrote a small bash script to download the CRL of each CA I've configured in the ca-bundle.crt, convert it into PEM format and create the required hash symlinks.
httpd-2.4.52
openssl-1.1.1m
<VirtualHost _default_:8443>
...
SSLCACertificateFile "/etc/httpd/ca-bundle.crt"
SSLEngine on
SSLProtocol TLSv1.2
...
SSLCARevocationPath "/var/httpd/crl/"
SSLCARevocationCheck chain
SSLVerifyClient require
SSLVerifyDepth 3
...
</VirtualHost>
The setup ran properly, but after a few days of uptime I got errors like this
[2022-03-30 17:10:00.807034] [ssl:error] [C:W5J48KAelwE] AH02039: Certificate Verification: Error (12): CRL has expired
The CRLs and symlinks in my crl directory were up to date. But the httpd did not read them after they were updated. So the httpd runs into the expiration date of the old CRLs.
Searching for this problem I found this old entry in the bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=14104<https://urldefense.com/v3/__https:/bz.apache.org/bugzilla/show_bug.cgi?id=14104__;!!NFcUtLLUcw!AXycYFzGPRjGt9hiqYGX3ZJRclH_e-Xu-HNIhdl093VZ8QOkJMLdfOqTirmULTkbA6Zb7g$>
Does the problem of httpd-2.0.x still resists in httpd-2.4.x or do I have a misconfiguration in my setup?
From my point of view there are two possible workarounds but both are not very nice:
A) restart gracefully the httpd after updating the CRL files
B) set MaxConnectionsPerChild on a small value.
regards,
Hendrik
--
----------------------------------------------------------
Hendrik Harms
mail: hendrik.harms@gmail.com<ma...@gmail.com>
[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com