1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
|
.\" "@(#)$Id: fetch-crl.8,v 1.7 2010/06/03 09:18:06 pmacvsdg Exp $"
.\"
.\"
.TH FETCH-CRL 8 local "EUGridPMA Utilities"
.SH NAME
fetch-crl \- retrieve certificate revocation lists
.SH SYNOPSIS
.ll +8
.B fetch-crl
.RB [ \-l\ locationDirectory ]
.RB [ \-o\ outputDirectory ]
.RB [ \-a\ agingTolerance ]
.RB [ \-q ]
.ll -8
.SH DESCRIPTION
.I fetch-crl
retrieves certificate revocation lists (CRLs). CRLs can be retrieved
from web sites using the
.I HTTP
or
.I HTTPS
protocols and can be in either
.I PEM
or
.I DER
encoded form. The URLs for the CRL download are to be found in files
named
.IR hash .r0
and should accompany a CA root certificate with the same
hash. Retrieving a CRL without an accompanying CA root certificate
will result in a verification failure.
.SH OPTIONS
.TP
.B \-h --help
Show help text.
.TP
.B \-l --loc locationDirectory
The script will search this directory for files with the
suffix '.crl_url'. It is supposed that each one of these
files contains the URL of a Certificate Revocation List (CRL)
for a Certification Authority. This URL is of the form
.IR http://www.myhost.com/myCRL .
Note: the CRL files to download must be in either PEM or DER format.
For validity checking of the CA certificates, this script
assumes that the certificates of the CAs are found also
in this directory.
Default: output directory (see below)
.TP
.B \-o --out outputDirectory
Directory where to put the downloaded and processed CRLs.
The directory to be used as argument for this option
is typically /etc/grid-security/certificates
Default: current working directory
.TP
.B \-a --agingtolerance hours
The maximum age of the locally downloaded CRL before download
failures trigger actual error messages. This error message
suppression mechanism only works if the crl_url files are named
after the hash of the CRL issuer name, a stat(1) command
is installed, and a CRL has already been downloaded at least once.
Default: no aging tolerance
.TP
.B \-q --quiet
Quiet mode (do not print information messages)
.TP
.B \-n, --no-check-certificate
Do not check the server certificate when retrieving URLs. (see
also:
.I SERVERCERTCHECK=no
in /etc/fetch-crl.conf.
.SH NOTES
Defaults can be set in the fetch-crl system configuration file
/etc/fetch-crl.conf, using the CRLDIR and QUIET directives.
If you want a specific version of OpenSSL to be used by
.I fetch-crl
for converting and validating CRLs, set the
.B FETCH_CRL_OPENSSL
environment variable (via /etc/fetch-crl.conf).
For historical reasons, if /etc/fetch-crl.conf does not exist, but
/etc/sysconfig/fetch-crl does, the latter file is read instead.
The script will try to use the latest version of OpenSSL to be found
anywhere in your path or in
.B /usr/bin , /usr/local/bin
(or in the
.B $GLOBUS_LOCATION/bin
directory when available).
Use of the latest version of OpenSSL is strongly encouraged.
The fetch-crl script should preferably be run from
.BR cron "(8)"
at least once every day. See
.BI /usr/share/doc/fetch-crl- version
for en example cron job to install.
Other configuration variables recognised in /etc/fetch-crl.conf:
.TP
.BI WGET_RETRIES\ n
Number of attempts of
.I wget
to obtain the CRL from the specified location.
.TP
.BI WGET_TIMEOUT\ seconds
Number of seconds to wait for each stage of the http GET request
(i.e.
.I seconds
sec for DNS resolving, and the same amount for downloading, etc.)
.TP
.BI SERVERCERTCHECK\ "{yes,no}"
When set to "no", the check of the server certificate validity is
suppressed (applies to
.I wget
version 1.10 and higher only).
.TP
.BI WGET_OPTS\ options
Additional command-line arguments to be passed to the invocations of
.I wget.
.TP
.BI LOGFILE\ filename
In addition to all other message output mechanisms, also append
generated messages to the file
.I filename
.TP
.BI CRL_AGING_THRESHOLD\ hours
Only complain about failed CRL download if the download failed persistently
for more than
.I hours
consecutive hours, or if the current time is past the advertised nextUpdate
time for this CRL.
.SH "SEE ALSO"
openssl(1)
.SH "DIAGNOSTICS"
Exit status is normally 0;
if an error occurs, exit status is 1 and diagnostics will be written
to standard error.
.SH BUGS
The fetch-crl program cannot handle CRLs for multiple certificates with the
same hash value.
|
