The fetch-crl utility will retrieve certificate revocation lists (CRLs) for a set of installed trust anchors, based on crl_url files or IGTF-style info files. It will install these for use with OpenSSL, NSS or third-party tools.
Home Page: https://www.nikhef.nl/pdp/fetchcrl3/
License: Apache License 2.0
============================================================================== fetch-crl - the Certificate Revocation List retrieval tool ============================================================================== The fetch-crl utility will retrieve certificate revocation lists (CRLs) for a set of installed trust anchors, based on crl_url files or IGTF-style info files. It will install these for use with OpenSSL, NSS or third-party tools. For more extensive information about fetch-crl3, please look on the web at: http://www.nikhef.nl/grid/fetchcrl3 USAGE ----- Usage: fetch-crl [-c|--config configfile] [-l|--infodir path] [--cadir path] [-s|--statedir path] [-o|--output path] [--format @formats] [-T|--httptimeout seconds] [-p|--parallelism n] [-a|--agingtolerance hours] [-r|--randomwait seconds] [-v|--verbose] [-h|--help] [-q|--quiet] [-d|--debug level] Options: -c | --config path Read configuration data from path, default: /etc/fetch-crl.conf -l | --infodir path Location of the trust anchor meta-data files (crl_url or info), default: /etc/grid-security/certificates --cadir path Location of the trust anchors (default to infodir) -s | --statedir path Location of the historic state data (for caching and delayed-warning) -T | --httptimeout sec Maximum time in seconds to wait for retrieval or a single URL -o | --output path Location of the CRLs written (global default, defaults to infodir --format @formats Format(s) in which the CRLs will be written (openssl, pem, der, nss) -v | --verbose Become more talkative -q | --quiet Become really quiet (overrides verbosity) -p | --parallelism n Run up to n parallel trust anchor retrieval processes -a | --agingtolerance hours Be quiet for up to hours hours before raising an error. Until the tolerance has passed, only warnings are raised -r | --randomwait seconds Introduce a random delay of up to seconds seconds before starting any retrieval processes -h | --help This help text CONFIGURATION ------------- The fetch-crl3 tool has built-in defaults that are suitable for 'grid' setups, where trust anchors are installed in /etc/grid-security/certificates. It will usually do what you want, if you use OpenSSL-like applications. If you want, you can tune fetch-crl in a myriad of ways, by setting any of the flags or options in the configuration file. This configuration file is looked for in "/etc/fetch-crl.conf" by default, but an alternative location can be specified with the "-c" command-line option. Please look at the web site or in the example configuration file for more explanation of the various configuration settings. CONTRIBUTIONS AND ACKNOWLEDGEMENTS ---------------------------------- Fetch-crl3 is a complete re-write of the utility, but of course owes to the extensive experience and contributions made over time by the contributors to fetch-crl 1.x and 2.x, and to the people that reported bugs and feature requests. The original fetch-crl was developed for the acclaimed EU DataGrid project by Fabio Hernandez and many significant contributions were made by Steve Traylen. Fetch-crl3 was developed by David Groep, mainly for enjoyment, with the help of large quantities of coffee and Spa Rood, and minimal quantities of sleep. This work is part of the research programme of the Dutch Foundation for Fundamental Research on Matter (FOM), which is financially supported by the Netherlands Organisation for Scientific Research (NWO). This work is part of the programme of BiG Grid, the Dutch e-Science Grid, which is financially supported by the Nederlandse Organisatie voor Wetenschappelijk Onderzoek (Netherlands Organisation for Scientific Research, NWO). SUPPORT ------- Please send suggestions, bugs and feature requests (and certainly patches) to <[email protected]>. Thanks a lot for your help! COPYRIGHT --------- Copyright 2010-2013 David Goep National Institute for Sub-Atomic Physics, FOM-Nikhef Licensed under the Apache License, Version 2.0 (the "License"); you may not use these files except in compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to in writing, software distributed under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License for the specific language governing permissions and limitations under the License.
Hi @dlgroep
Are there still any supported RPM-based operating systems that do not use systemd, or that do use SysV ?
I see that fetch-crl still relies on SysV init scripts.
On EL9 it does not work:
$ sudo systemctl status fetch-crl-cron
ร fetch-crl-cron.service - LSB: Run the certificate revocation lists update periodically via cron
Loaded: loaded (/etc/rc.d/init.d/fetch-crl-cron; generated)
Active: failed (Result: exit-code) since Wed 2023-09-20 11:26:28 PDT; 2min 49s ago
Docs: man:systemd-sysv-generator(8)
Process: 19827 ExecStart=/etc/rc.d/init.d/fetch-crl-cron start (code=exited, status=1/FAILURE)
CPU: 7ms
Sep 20 11:26:28 server.hostname systemd[1]: Starting LSB: Run the certificate revocation lists update periodically via cron...
Sep 20 11:26:28 server.hostname fetch-crl-cron[19827]: /etc/rc.d/init.d/fetch-crl-cron: line 22: /etc/rc.d/init.d/functions: No such file or directory
Sep 20 11:26:28 server.hostname systemd[1]: fetch-crl-cron.service: Control process exited, code=exited, status=1/FAILURE
Sep 20 11:26:28 server.hostname systemd[1]: fetch-crl-cron.service: Failed with result 'exit-code'.
Sep 20 11:26:28 server.hostname systemd[1]: Failed to start LSB: Run the certificate revocation lists update periodically via cron.
$ sudo dnf whatprovides /etc/rc.d/init.d/functions
Last metadata expiration check: 0:12:21 ago on Wed 20 Sep 2023 11:17:02 AM PDT.
initscripts-10.11.5-1.el9.x86_64 : Basic support for legacy System V init scripts
Repo : baseos
Matched from:
Filename : /etc/rc.d/init.d/functions
It pulls in the legacy chkconfig package as a dependency, but also requires the legacy initscripts package which provides /etc/rc.d/init.d/functions.
Actually initscripts depends on chkconfig too. But I suppose fetch-crl should depend on both.
The current implimentation doesn't support or honor a https_proxy configuration or environment variable. Since LWP::Useragents needs to have the https proxy configured separately downloads from https websites are not working at all when only http_proxy is set.
Please support https_proxy. If needed I can write a pull request
I have clean installation of EL9
[root@localhost ~]# rpm -qa ca-policy-egi-core fetch-crl
ca-policy-egi-core-1.128-1.noarch
fetch-crl-3.0.22-1.el9.noarchand fetch-crl fails to download CRLs for several IGTF core CAs
[root@localhost ~]# /usr/sbin/fetch-crl | grep ^ERROR
ERROR CRL verification failed for ArmeSFo/0 (ArmeSFo)
ERROR CRL verification failed for DigiCertGridRootCA-Root/0 (DigiCertGridRootCA-Root)
ERROR CRL verification failed for IHEP-2013/0 (IHEP-2013)
ERROR CRL verification failed for LIPCA/0 (LIPCA)
ERROR CRL verification failed for PK-Grid-2007/0 (PK-Grid-2007)
ERROR CRL verification failed for RDIG/0 (RDIG)
ERROR CRL verification failed for RomanianGRID/0 (RomanianGRID)
ERROR CRL verification failed for SRCE/0 (SRCE)
ERROR CRL verification failed for TRGrid/0 (TRGrid)On my RHEL9 servers starting the fetch-crl-boot.service fails with error "Failed to start LSB".
Service fetch-crl-cron is running properly:
systemd[1]: Starting LSB: Run the certificate revocation lists update periodically via cron
fetch-crl-cron[1361]: Enabling periodic fetch-crl: [ OK ]
systemd[1]: Started LSB: Run the certificate revocation lists update periodically via cron
How can I fix this?
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
Django
The Web framework for perfectionists with deadlines.
Laravel
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
Microsoft
Open source projects and samples from Microsoft.
Google
Google โค๏ธ Open Source for everyone.
Alibaba
Alibaba Open Source for everyone
D3
Data-Driven Documents codes.
Tencent
China tencent open source team.