Skip to Content.
Sympa Menu

cat-users - Re: [[cat-users]] static connectivity test: CRL false alarm

cat-users AT lists.geant.org

Subject: The mailing list for users of the eduroam Configuration Assistant Tool (CAT)

List archive

Re: [[cat-users]] static connectivity test: CRL false alarm


Chronological Thread 
  • From: JÁKÓ András <jako.andras AT eik.bme.hu>
  • To: Stefan Winter <stefan.winter AT restena.lu>
  • Cc: cat-users AT lists.geant.org
  • Subject: Re: [[cat-users]] static connectivity test: CRL false alarm
  • Date: Wed, 13 Apr 2016 20:43:12 +0200
  • Organization: Budapest University of Technology and Economics (BME)

> > I noticed that "Static connectivity tests" at
> > https://cat.eduroam.org/admin/action_realmcheck.php report a CRL problem
> > when the CRL is empty (CRL exists and is available, but no certificates
> > revoked yet). Simply revoking a certificate and updating the CRL makes
> > the false alarm go away.
>
> What is the false alert, exactly? That the cert is revoked while it's
> not, or that there is no CRL at the URL?

Stefan, I'm sorry I don't remember the exact error message. I'm sure it
did not say that the cert was revoked. It was something about the CRL
itself.

When I saw the error message I checked that the CRL is available at the
URIs specified in the certificate's "X509v3 CRL Distribution Points"
field, and also checked that the downloaded CRL can be parsed correctly
by openssl, and the CRL's content seemed fine. Then I issued and
revoked a certificate, updated the CRL, run CAT's static connectivity
tests, and the error was gone.

I'm happy to try to reproduce it, when I find some spare time.

Regards,
Andras



Archive powered by MHonArc 2.6.19.

Top of Page