On 10/30/2011 12:08 PM, Simo Sorce wrote:
> So my personal home installation is now more than 6 months old.
> How do I know that ? I know because originally we had a 6 months
> expiration period in SSL cert profiles and that was the exp. period of
> all my certs.
> So coming home I got a new laptop for my wife and I wanted to put it in
> the FreeIPA domain. I kinit as admin on the server and try to run an ipa
> commend, and I get back an error that certs are expired :-(
> So, knowing certmonger should run I try to check that certmonger is a
> live, it isn't and messagebus isn't either. (This is an F15 issue so
> only relevant for the following behavior).
> Ok I start messagebus and certmonger and then issue a getcert list ..
> and it says the certs will expire in 2013 ... uhmm strange I think.
> Ok issue the ipa command again, and no luck, it still complains that
> certs are expired.
> So as a last attempt, before trying to manually issue new certs I just
> issue a service httpd restart ... and now the ipa command works again.
> So appaerently this means apache is not able to find out it has new
> certs available, even after the certs it is currently using are expired.
> The question is: should we try to fix apache to be able to reread the
> cert store ? Or should we add to certmonger the ability to restart
> services when it renews certs ? Or when the previous ones finally
> expire ?
> I'd say the former but it might be a lot more difficult than the second.
> Thoughts ?
Please open two bugs. I think we should implement workaround and let
apache address it at its own pace.
Sr. Engineering Manager IPA project,
Red Hat Inc.
Looking to carve out IT costs?
Freeipa-devel mailing list