[Freeipa-users] CRL Not Updating

The CRL being served by the CRL Master has not added a newly revoked certificate for 4 months. The CRL is updated and published as expected every four hours, just with no change to the list of revocations. Currently the CRL lists 34 certificates where as a query with ipa cert-find returns 40. The missing certificates are not expired. I do not see any errors in /var/log/pki/pki-tomcat/ca/debug* I've been through the steps at https://www.freeipa.org/page/Troubleshooting/PKI and checked the CRL settings per https://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master The CRL files in /var/lib/ipa/pki-ca/publish/ are being generated/updated.