On Wed, Aug 2, 2017 at 10:04 PM, Fraser Tweedale <[email protected]> wrote: > On Wed, Aug 02, 2017 at 09:59:35AM -0400, Rob Crittenden wrote: >> Petr Vobornik via FreeIPA-devel wrote: >> > On Wed, Aug 2, 2017 at 3:30 AM, Fraser Tweedale <[email protected]> >> > wrote: >> >> Hi devs, >> >> >> >> This is at least the second time recently that people needing to >> >> renew service certificates used ``ipa-cacert-manage renew`` (the >> >> wrong command) and either didn't solve the problem or got into a >> >> deeper mess. >> >> >> >> Clearly we have a usability problem here. >> >> >> >> The ipa-cacert-manage(1) man page is clear, but perhaps could use a >> >> prominent statement that it doesn't renew service certs and if >> >> that's all the user needs to do, to use `getcert resubmit` instead. >> > >> > Right, I think that a lot of people don't understand certificates well >> > and so they don't distinguish CA cert and other cert. So when they see >> > a howto for "CA certificate renewal" they understand "certificate >> > renewal". >> > >> > From that perspective another possible culprit is also page: >> > https://www.freeipa.org/page/Howto/CA_Certificate_Renewal >> > >> >> >> >> But I think better would be to enhance `ipa-cacert-manage renew` to >> >> inspect the current CA certificate and if it has, say, more than 75% >> >> of its validity period still to go, to PROMPT the user to confirm >> >> that renewing the *CA* certificate is really what they wanted to do. >> >> >> >> What do others think of this idea? >> > >> > I like the idea. >> >> Honestly, I'd be even harsher. IMHO this is one of those times that >> requires: >> >> Are you sure? (yes/NO) >> >> Are you really sure? (yes/NO) >> >> Really, you want to renew the CA certificate and not some other >> certificate? This is not something to be done lightly? (yes/NO) >> >> <insert another 72 questions here> >> >> rob >> > OK, I've filed tickets: > > - https://pagure.io/freeipa/issue/7084 (update command with prompts) > - https://pagure.io/freeipa/issue/7085 (manpage) > > Thanks, > Fraser
I've updated: - https://www.freeipa.org/page/Troubleshooting#IPA_won.27t_start.2C_expired_certificates - https://www.freeipa.org/page/Howto/CA_Certificate_Renewal Especially the first one was quite misleading it pointed people to CA Cert renewal page in case of any problem with certificates. -- Petr Vobornik _______________________________________________ FreeIPA-devel mailing list -- [email protected] To unsubscribe send an email to [email protected]
