Re: SSLCARevocationPath CRLs not reloaded after update

[Hendrik Harms <hendrik.harms@xxxxxxxxx>]

Hi John,

restarting graceful after updating a CRL file was already one of my options. But I hoped that there is a more elegant way to refresh the lists of revoked certificates.

So the best workaround is still to add the graceful restart to my script which loads the CRLs onto my server. :-(

Thanks,

Hendrik

Am Do., 31. März 2022 um 19:01 Uhr schrieb Orendt, John:

Hi

 

After updating the CRL files. If there is a change in the CRL files  then restart gracefully the httpd.

 

You need to check and compare periodically.

 

John Orendt

 

From: Hendrik Harms <hendrik.harms@xxxxxxxxx>
Sent: Thursday, March 31, 2022 12:53 PM
To: users@xxxxxxxxxxxxxxxx
Subject: [EXTERNAL] SSLCARevocationPath CRLs not reloaded after update

 

Hi httpd users,

 

I only want to allow clients to log in with a valid certificate that has not been revoked.
For this I wrote a small bash script to download the CRL of each CA I've configured in the ca-bundle.crt, convert it into PEM format and create the required hash symlinks.

 

httpd-2.4.52
openssl-1.1.1m
<VirtualHost _default_:8443>
  ...
  SSLCACertificateFile "/etc/httpd/ca-bundle.crt"
  SSLEngine on
  SSLProtocol TLSv1.2
  ...
  SSLCARevocationPath  "/var/httpd/crl/"
  SSLCARevocationCheck chain
  SSLVerifyClient require
  SSLVerifyDepth  3
  ...
</VirtualHost>

The setup ran properly, but after a few days of uptime I got errors like this
[2022-03-30 17:10:00.807034] [ssl:error] [C:W5J48KAelwE] AH02039: Certificate Verification: Error (12): CRL has expired

The CRLs and symlinks in my crl directory were up to date. But the httpd did not read them after they were updated. So the httpd runs into the expiration date of the old CRLs.
Searching for this problem I found this old entry in the bugzilla: https://bz.apache.org/bugzilla/show_bug.cgi?id=14104

Does the problem of httpd-2.0.x still resists in httpd-2.4.x or do I have a misconfiguration in my setup?