[Eisfair_dev] certs v1.4.5 stable

Stefan Welte post at stefan-welte.de
Fr Mär 4 15:39:46 CET 2016 

Hallo Jürgen,

Am 04.03.2016 um 15:03 schrieb Juergen Edner:
> Ist es möglich, dass der betroffene Rechner ein Verbindungsproblem
> ins Internet hatte? Generell ist besonders der Aktualisierungsprozess
> der CRL sehr langwierig und kann bei einigen Zertifikaten durchaus
> 20min dauern. Mich überrascht besonders, dass es scheinbar mit einer
> CRL Probleme gibt.
ja, es ist gut möglich, dass die Verbindungsqualität ins Internet gestört/stark eingeschränkt war.

> Auch wundert mich, dass der c_rehash-Prozesse mehrfach ausgeführt wird
> und scheinbar hängt. Das Skript ist sehr einfach gestrickt und läuft
> schnell durch. Eine Erklärungen habe ich dafür ebenso nicht. Den
> Parameter CERTS_CRL_CRON_SCHEDULE hast Du doch sicherlich nicht
> verändert, korrekt?
nix geändert, nur Update von 1.4.4 auf 1.4.5 gemacht.

> Du kannst ja testweise einmal folgende Befehl absetzen und schauen was
> er auswirfst: /var/install/bin/certs-update-crl --checkall
root at eis2 2.6.9:/ # /var/install/bin/certs-update-crl --checkall

Certificate revocation list (CRL) handling

checking if CRL files exist ...
- job '103' (2016-03-11 13:24) already exists.
- job '76' (2016-03-14 10:03) already exists.
- job '69' (2025-12-31 12:37) already exists.
- job '71' (2025-12-31 12:36) already exists.
- job '86' (2025-12-30 17:04) already exists.
- job '68' (2025-12-30 17:04) already exists.
- job '62' (2025-12-30 17:04) already exists.
- job '59' (2025-12-30 19:07) already exists.
- job '88' (2025-12-30 19:07) already exists.
- job '73' (2025-12-30 19:06) already exists.
- job '63' (2025-12-31 09:57) already exists.
- job '104' (2014-02-17 01:13->2016-03-04 15:24) created.
  url: http://www.trustcenter.de/crl/v2/tc_class2_L1_CA_V.crl
- job '105' (2014-02-17 01:13->2016-03-04 15:27) created.
  url: http://www.trustcenter.de/crl/v2/tc_class2_L1_CA_VII.crl
- job '106' (2014-02-17 01:13->2016-03-04 15:30) created.
  url: http://www.trustcenter.de/crl/v2/tc_class2-II_L1_CA_VIII.crl
- job '100' (2025-12-31 12:43) already exists.
- job '58' (2025-12-31 09:57) already exists.
- job '92' (2025-12-31 09:57) already exists.
- job '57' (2025-12-31 09:57) already exists.
- job '56' (2025-12-31 14:11) already exists.
- job '107' (2014-02-17 01:14->2016-03-04 15:33) created.
  url: http://www.trustcenter.de/crl/v2/tc_class3_L1_CA_V.crl
- job '108' (2014-02-17 01:14->2016-03-04 15:36) created.
  url: http://www.trustcenter.de/crl/v2/tc_class3_L1_CA_VII.crl
- job '84' (2025-12-31 12:45) already exists.
- job '89' (2025-12-31 12:40) already exists.
- job '65' (2025-12-31 13:41) already exists.
- job '72' (2025-12-31 13:41) already exists.
- job '93' (2016-03-11 00:02) already exists.
- job '87' (2025-12-31 12:45) already exists.
- downloading 'http://www.trustcenter.de/crl/v2/tcclass4.crl' ...
- file 'http://www.trustcenter.de/crl/v2/tcclass4.crl' doesn't exist!
- downloading 'http://www.trustcenter.de/crl/v2/tc_class_3_european_bridge_l1_ca_I.crl' ...
- file 'http://www.trustcenter.de/crl/v2/tc_class_3_european_bridge_l1_ca_I.crl' doesn't exist!
- downloading 'http://www.trustcenter.de/crl/v2/tc_class2_L1_CA_III.crl' ...
- file 'http://www.trustcenter.de/crl/v2/tc_class2_L1_CA_III.crl' doesn't exist!
- downloading 'http://www.trustcenter.de/crl/v2/tc_class3_L1_CA_III.crl' ...
- file 'http://www.trustcenter.de/crl/v2/tc_class3_L1_CA_III.crl' doesn't exist!
- job '74' (2016-03-24 13:03) already exists.
- job '99' (2016-07-01 00:02) already exists.
- job '101' (2017-05-07 10:20) already exists.
- job '70' (2016-03-08 13:03) already exists.
- job '80' (2016-03-08 13:03) already exists.
- job '75' (2016-04-15 02:03) already exists.
- job '82' (2016-03-08 13:03) already exists.
- job '81' (2016-03-08 13:03) already exists.
- job '109' (2016-03-11 11:58) created.
  url: http://www.entrust.net/CRL/net1.crl
- job '64' (2017-01-12 21:57) already exists.
- job '110' (2016-04-15 14:03) created.
  url: http://www2.public-trust.com/crl/ct/ctroot.crl
- job '85' (2016-03-08 13:03) already exists.
- job '83' (2016-06-07 11:39) already exists.
- job '96' (2016-08-21 03:54) already exists.
- job '111' (2014-08-27 02:57->2016-03-04 15:25) created.
  url: http://crl.startcom.org/sfsca-crl.crl
- job '94' (2016-03-08 03:03) already exists.
- job '90' (2017-01-12 21:57) already exists.
- job '97' (2016-03-05 11:03) already exists.
- job '95' (2016-03-05 11:03) already exists.
- job '91' (2016-03-07 14:03) already exists.
- job '67' (2016-03-08 13:03) already exists.
- job '102' (2016-03-11 13:21) already exists.
- job '79' (2016-07-14 10:14) already exists.
- job '78' (2016-03-07 14:03) already exists.
- job '98' (2016-03-08 13:06) already exists.
- job '77' (2017-03-02 01:03) already exists.
- job '60' (2017-01-12 21:57) already exists.
- job '66' (2016-07-14 10:12) already exists.
checking if a task for each at-job has been created ...
checking if remaining running tasks are CRL update tasks ...
- job '55->110' () a newer entry exists in job list!
  url: http://www2.public-trust.com/crl/ct/ctroot.crl
  file: 'www2.public-trust.com-ctroot.crl.pem'
- job '61->109' () a newer entry exists in job list!
  url: http://www.entrust.net/CRL/net1.crl
  file: 'www.entrust.net-net1.crl.pem'
updating hashes ...
finished.
Press ENTER to continue


> Falls Du den CRL-Update-Prozess manuell noch einmal anstoßen willst,
> kannst Du folgenden Befehl verwenden. Beachte jedoch, dass dies schon
> einige Zeit dauern kann: /var/install/bin/certs-update-crl -all
Der Durchlauf war in ca. 1 Minute erledigt:

----------------------------------------------------------------------

Certificate revocation list (CRL) handling

fetching CRL URLs from certificates ...
- file 024dc131.pem ...
- URL 'http://www.e-szigno.hu/RootCA.crl' already in CRL list.
- file 039c618a.pem doesn't contain a CRL URL!
- file 03f0efa4.pem doesn't contain a CRL URL!
- file 062cdee6.pem doesn't contain a CRL URL!
- file 080911ac.pem doesn't contain a CRL URL!
- file 0b759015.pem doesn't contain a CRL URL!
- file 116bf586.pem doesn't contain a CRL URL!
- file 12ac4d91.pem doesn't contain a CRL URL!
- file 157753a5.pem doesn't contain a CRL URL!
- file 18856ac4.pem doesn't contain a CRL URL!
- file 1ec4d31a.pem doesn't contain a CRL URL!
- file 201cada0.pem doesn't contain a CRL URL!
- file 20d096ba.pem doesn't contain a CRL URL!
- file 2251b13a.pem ...
- URL 'http://fedir.comsign.co.il/crl/ComSignSecuredCA.crl' already in CRL list.
- file 244b5494.pem doesn't contain a CRL URL!
- file 2ab3b959.pem doesn't contain a CRL URL!
- file 2c543cd1.pem doesn't contain a CRL URL!
- file 2cfc4974.pem ...
- URL 'http://crl.oces.certifikat.dk/oces.crl' already in CRL list.
- file 2e4eed3c.pem doesn't contain a CRL URL!
- file 2e5ac55d.pem doesn't contain a CRL URL!
- file 3513523f.pem doesn't contain a CRL URL!
- file 381ce4dd.pem doesn't contain a CRL URL!
- file 3b2716e5.pem doesn't contain a CRL URL!
- file 3e45d192.pem doesn't contain a CRL URL!
- file 3ee7e181.pem doesn't contain a CRL URL!
- file 40547a79.pem ...
- URL 'http://crl.comodoca.com/COMODOCertificationAuthority.crl' already in CRL list.
- file 415660c1.pem doesn't contain a CRL URL!
- file 4304c5e5.pem ...
- URL 'http://crl.netsolssl.com/NetworkSolutionsCertificateAuthority.crl' already in CRL list.
- file 442adcac.pem doesn't contain a CRL URL!
- file 4597689c.pem doesn't contain a CRL URL!
- file 46f053f0.pem doesn't contain a CRL URL!
- file 480720ec.pem doesn't contain a CRL URL!
- file 48ef30f1.pem doesn't contain a CRL URL!
- file 4a6481c9.pem ...
- URL 'http://crl.globalsign.net/root-r2.crl' already in CRL list.
- file 4f316efb.pem doesn't contain a CRL URL!
- file 55a10908.pem doesn't contain a CRL URL!
- file 5620c4aa.pem ...
- URL 'http://www.trustcenter.de/crl/v2/tc_class_3_ca_II.crl' already in CRL list.
- file 56657bde.pem ...
- URL 'http://crl.comodoca.com/TrustedCertificateServices.crl' already in CRL list.
- file 578d5c04.pem doesn't contain a CRL URL!
- file 57bbd831.pem doesn't contain a CRL URL!
- file 57bcb2da.pem doesn't contain a CRL URL!
- file 5ad8a5d6.pem doesn't contain a CRL URL!
- file 5c44d531.pem doesn't contain a CRL URL!

...

- file 'http://crl.usertrust.com/UTN-DATACorpSGC.crl' doesn't exist!
- downloading 'http://crl.pki.wellsfargo.com/wsprca.crl' ...
- file 'http://crl.pki.wellsfargo.com/wsprca.crl' doesn't exist!
- downloading 'http://cert.startcom.org/sfsca-crl.crl' ...
- file 'http://cert.startcom.org/sfsca-crl.crl' doesn't exist!
- downloading 'http://crl.startcom.org/sfsca-crl.crl' ...
- file 'http://crl.startcom.org/sfsca-crl.crl' doesn't exist!
- downloading 'http://crl.usertrust.com/UTN-USERFirst-Hardware.crl' ...
- file 'http://crl.usertrust.com/UTN-USERFirst-Hardware.crl' doesn't exist!
- downloading 'http://crl.securetrust.com/SGCA.crl' ...
- file 'http://crl.securetrust.com/SGCA.crl' doesn't exist!
- downloading 'http://www.disig.sk/ca/crl/ca_disig.crl' ...
- file 'http://www.disig.sk/ca/crl/ca_disig.crl' doesn't exist!
- downloading 'http://ca.disig.sk/ca/crl/ca_disig.crl' ...
- file 'http://ca.disig.sk/ca/crl/ca_disig.crl' doesn't exist!
- downloading 'http://crl.comodoca.com/SecureCertificateServices.crl' ...
- file 'http://crl.comodoca.com/SecureCertificateServices.crl' doesn't exist!
- downloading 'http://crl.comodo.net/SecureCertificateServices.crl' ...
- file 'http://crl.comodo.net/SecureCertificateServices.crl' doesn't exist!
- downloading 'https://www.cacert.org/revoke.crl' ...
- file 'https://www.cacert.org/revoke.crl' doesn't exist!
- downloading 'http://crl.chambersign.org/chambersignroot.crl' ...
- file 'http://crl.chambersign.org/chambersignroot.crl' doesn't exist!
- downloading 'http://crl.comodoca.com/AAACertificateServices.crl' ...
- file 'http://crl.comodoca.com/AAACertificateServices.crl' doesn't exist!
- downloading 'http://crl.comodo.net/AAACertificateServices.crl' ...
- file 'http://crl.comodo.net/AAACertificateServices.crl' doesn't exist!
- downloading 'http://www.certplus.com/CRL/class2.crl' ...
- file 'http://www.certplus.com/CRL/class2.crl' doesn't exist!
- downloading 'http://crl.securetrust.com/STCA.crl' ...
- file 'http://crl.securetrust.com/STCA.crl' doesn't exist!
- downloading 'http://crl.chambersign.org/chambersroot.crl' ...
- file 'http://crl.chambersign.org/chambersroot.crl' doesn't exist!
- downloading 'http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl' ...
- file 'http://www.accv.es/fileadmin/Archivos/certificados/raizaccv1_der.crl' doesn't exist!
- downloading 'http://crl.cacert.org/class3-revoke.crl' ...
- file 'http://crl.cacert.org/class3-revoke.crl' doesn't exist!
- downloading 'http://fedir.comsign.co.il/crl/ComSignCA.crl' ...
- file 'http://fedir.comsign.co.il/crl/ComSignCA.crl' doesn't exist!
- downloading
'ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist'
...
- file
'ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist'
doesn't exist!
- downloading
'ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist'
...
- file
'ldap://directory.d-trust.net/CN=D-TRUST%20Root%20Class%203%20CA%202%20EV%202009,O=D-Trust%20GmbH,C=DE?certificaterevocationlist'
doesn't exist!
- downloading 'http://www.sk.ee/juur/crl/' ...
- file 'http://www.sk.ee/juur/crl/' doesn't exist!
- downloading 'http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl' ...
- file 'http://www.suscerte.gob.ve/lcr/CERTIFICADO-RAIZ-SHA384CRLDER.crl' doesn't exist!
- downloading 'http://crl.sgtrustservices.com/racine-GroupeSG/LatestCRL' ...
- file 'http://crl.sgtrustservices.com/racine-GroupeSG/LatestCRL' doesn't exist!
- downloading 'http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl' ...
- file 'http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl' doesn't exist!
- downloading 'http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl' ...
- file 'http://crl.usertrust.com/UTN-USERFirst-NetworkApplications.crl' doesn't exist!
- downloading 'http://crl.usertrust.com/UTN-USERFirst-Object.crl' ...
- file 'http://crl.usertrust.com/UTN-USERFirst-Object.crl' doesn't exist!
updating hashes ...
finished.


Eisgraph hat während der Updatephase (1.4.4->1.4.5) garnix geloggt, also von 13.38-14.18 Uhr.
Falls Interesse besteht, kann ich die png-Bildli zur Verfügung stellen.

Stefan Welte

Mehr Informationen über die Mailingliste Eisfair_dev