CRL after migration to 2.1.x are no longer downloadable

After migrating to 2.1.x version from a 2.0.x or inferior version, CRL are no longer downloadable until they are re-generated. This is the case even if the generation status is green.

As a result, any attempt to download the existing CRLs after migration may fail and return an HTTP 404 (Not Found) error.

If a Stream VA is configured to download a CRL from a Stream CA that has been migrated to version 2.1.x, the following error will appear:

fr.evertrust.certfactory.exceptions.CertFactoryException: Error parsing CRL from InputStream: Could not copy CRL header, not enough data

Workaround

Using the UI

CRL on external Certificate authority

The issue can be resolved by uploading a new CRL.

1 - Navigate to Certificate Authorities > External CAs in the administration interface.

2 - Click on the Import CRL icon.

3 - Select and upload a new CRL file for the affected CA.

importing the same CRL will not fix the problem

CRL on managed Certificate authority

The issue can be resolved by generating a new CRL.

1 - Navigate to Certificate Authorities > Managed CAs in the administration interface.

2 - Click on the Generate CRL icon.

3 - Wait until the CRL generation process completes successfully and the new CRL is available for download.

Using a command in database

If you prefer to resolve the issue through the database, follow the steps below.

Connect to your MongoDB instance.

You can execute the following command to list all CRL entries impacted by this issue:

db.fs.files.find({"metadata.type": {$exists: false}})

Once you have identified all the CRL entries impacted by the issue, you can execute the following command to correct all affected CRLs at once:

db.fs.files.updateMany({"metadata.type": {$exists: false}}, {$set: {"metadata.type": "CRL"}})

If you prefer to correct only one CRL instead of updating all of them, you can execute the following command by specifying the name of the Certificate Authority (CA):

db.fs.files.updateOne({"metadata.ca": "<ca_name>"}, {$set: {"metadata.type": "CRL"}})

After executing any of the database update commands, it is recommended to restart the application to ensure that all changes are properly applied and loaded into memory.

Once the application has restarted, you should now be able to download the CRL successfully.