[Eisfair] E32 - mail-certs updatet problematisch

Di Mai 9 14:49:53 CEST 2023

Hallo Jürgen,

Jürgen Pfautsch wrote:

> "MarcusRöckrath"  schrieb im Newsbeitrag
> news:0rqpij-87j.ln1 at ID-94514.user.dfncis.de...
> 
> Hallo Marcus,
> 
>> Bitte nochmal mit grepsingleuri statt grepsingleurionly.
> 
> eis.workgroup # /var/install/bin/certs-update-crl --grepsingleuri
> /var/certs/ssl/certs/webgo24.de.pem
> Certificate revocation list (CRL) handling
> - file webgo24.de.pem ...
> /usr/bin/in.grep: warning: stray \ before !
>   url 'http[s]?://ocsp.sectigo.com/!webgo24.de.pem' already in CRL list.
> checking if CRL files exist ...
> - job '288902' (2022-09-16 22:00) already exists.
> - downloading 'http://ocsp.suscerte.gob.ve/!PSCProcert.pem' ...
> - updating CRL list ...
> - CRL file 'PSCProcert.ocsp' doesn't exist, force download!
> - job '627365' (2023-05-08 14:37->2023-05-09 14:40) created.
>   url: http://ocsp.suscerte.gob.ve/!PSCProcert.pem
> - downloading
> 'http://ocsp02.telesec.de/ocspr/!TeleSec_ServerPass_DE-2.pem' ...
>   file 'http://ocsp02.telesec.de/ocspr/!TeleSec_ServerPass_DE-2.pem'
> download failed!
> - job '79515' (2022-03-12 01:08) already exists.
> - job '82670' (2022-03-10 08:37) already exists.
> - downloading
> 'http://ocsp.usertrust.com/!comodo_rsa_certification_authority.pem' ...
> /usr/bin/in.grep: warning: stray \ before -
>   file 'http://ocsp.usertrust.com/!comodo_rsa_certification_authority.pem'
> download failed!
> - job '624778' (2023-05-10 19:41) already exists.
> - job '624043' (2023-05-10 01:23) already exists.
> - downloading
> 'http://ocsp.digicert.com/!digicert_sha2_secure_server_ca.pem' ...
> /usr/bin/in.grep: warning: stray \ before -
>   file 'http://ocsp.digicert.com/!digicert_sha2_secure_server_ca.pem'
> download failed!
> - downloading 'http://ocsp02.telesec.de/ocspr/!eb20b578.pem' ...
> /usr/bin/in.grep: warning: stray \ before -
>   file 'http://ocsp02.telesec.de/ocspr/!eb20b578.pem' download failed!
> - job '624799' (2023-05-10 20:11) already exists.
> - downloading 'http://ocsp.serverpass.telesec.de/ocspr/!mx.freenet.de.pem'
> ...
> /usr/bin/in.grep: warning: stray \ before -
>   file 'http://ocsp.serverpass.telesec.de/ocspr/!mx.freenet.de.pem'
>   download
> failed!
> - downloading 'http://ocsp.serverpass.telesec.de/ocspr/!pop.web.de.pem'
> ... /usr/bin/in.grep: warning: stray \ before -
>   file 'http://ocsp.serverpass.telesec.de/ocspr/!pop.web.de.pem' download
> failed!
> - job '608841' (2024-03-12 01:02) already exists.
> - job '625106' (2023-05-11 03:50) already exists.
> - job '627318' (2023-05-09 13:56) already exists.
> - downloading 'http://ocsp.thawte.com/!thawte_SSL_CA.pem' ...
> /usr/bin/in.grep: warning: stray \ before -
>   file 'http://ocsp.thawte.com/!thawte_SSL_CA.pem' download failed!
> - job '103700' (2022-03-30 19:05) already exists.
> - job '78200' (2022-03-11 09:28) already exists.
> checking if a task for each at-job has been created ...
> - job '14489' (2022-01-02 18:21) doesn't exist!
>   url: http://ocsp.suscerte.gob.ve/!PSCProcert.pem
> - job '14499' (2022-01-02 18:24) doesn't exist!
>   url: http://ocsp.suscerte.gob.ve/!PSCProcert.pem
> - job '14500' (2022-01-02 18:27) doesn't exist!
>   url: http://ocsp.suscerte.gob.ve/!PSCProcert.pem
> - job '14501' (2022-01-02 18:30) doesn't exist!
>   url: http://ocsp.suscerte.gob.ve/!PSCProcert.pem
> - job '14502' (2022-01-02 18:33) doesn't exist!
>   url: http://ocsp.suscerte.gob.ve/!PSCProcert.pem
> 
> Ab hier geht es in die Dauerschleife ...

Was nichts mit dem weggo24-Zertifikat zu tun hat, sondern mit wohl hängenden
at-Jobs.

Ungewöhnlich ist schon die weit auseinanderdriftenden Job-Nummer.

Die Ausgabe von atq dürfte dir auch Jobs zeigen, die vor dem root in der
letzten Spalte ein = statt a in der vorletzten Spalte zeigt. Das zeigt
"gerade" aktive Jobs an, die aber wohl eher mal früher hängengeblieben
sind.

Da das Wiki gerade mal wieder nicht erreichbar ist, hier mein Code zu
Bereinigung der CRL-Aktualisierung:

----------------------------------------------------------
#!/bin/sh                                                                                                                                                                                     

# CRL_cleanup                                                                                                                                                                                 

atdrunning=no                                                                                                                                                                                 
(/usr/sbin/service status atd.service | grep "(running) since") &&
atdrunning=yes                                                                                                             

if [ "${atdrunning}" = "yes" ]                                                                                                                                                                
then                                                                                                                                                                                          
    /usr/sbin/service stop atd.service                                                                                                                                                        
fi                                                                                                                                                                                            

hostname=$(hostname -f)                                                                                                                                                                       

echo | /var/install/bin/certs-update-crl --deletejobs                                                                                                                                         
echo                                                                                                                                                                                          

cd /var/certs/ssl/crl                                                                                                                                                                         

crls=$(ls)                                                                                                                                                                                    
for f in ${crls}
do
    if echo ${f} | grep -vq "^${hostname}"
    then
        rm ${f}
    fi
done

cd ..

cp certs-update-crl-list.std certs-update-crl-list

echo | /var/install/bin/certs-update-crl --all
echo

if [ "${atdrunning}" = "yes" ]
then
    /usr/sbin/service start atd.service
fi
---------------------------------------------------------

Leere aber bitte sicherheitshalber manuell (z. B. mit dem mc) zusätzlich das
Verzeichnis /var/spool/atjobs von allen Dateien außer .SEQ.

-- 
Gruß Marcus
[eisfair-Team]