On 10/30/2011 12:08 PM, Simo Sorce wrote: > So my personal home installation is now more than 6 months old. > How do I know that ? I know because originally we had a 6 months > expiration period in SSL cert profiles and that was the exp. period of > all my certs. > > So coming home I got a new laptop for my wife and I wanted to put it in > the FreeIPA domain. I kinit as admin on the server and try to run an ipa > commend, and I get back an error that certs are expired :-( > > So, knowing certmonger should run I try to check that certmonger is a > live, it isn't and messagebus isn't either. (This is an F15 issue so > only relevant for the following behavior). > > Ok I start messagebus and certmonger and then issue a getcert list .. > and it says the certs will expire in 2013 ... uhmm strange I think. > > Ok issue the ipa command again, and no luck, it still complains that > certs are expired. > > So as a last attempt, before trying to manually issue new certs I just > issue a service httpd restart ... and now the ipa command works again. > > So appaerently this means apache is not able to find out it has new > certs available, even after the certs it is currently using are expired. > > The question is: should we try to fix apache to be able to reread the > cert store ? Or should we add to certmonger the ability to restart > services when it renews certs ? Or when the previous ones finally > expire ? > > I'd say the former but it might be a lot more difficult than the second. > > Thoughts ? > > Simo. > Please open two bugs. I think we should implement workaround and let apache address it at its own pace.
-- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel