On 10/30/2011 12:08 PM, Simo Sorce wrote:
> So my personal home installation is now more than 6 months old.
> How do I know that ? I know because originally we had a 6 months
> expiration period in SSL cert profiles and that was the exp. period of
> all my certs.
> So coming home I got a new laptop for my wife and I wanted to put it in
> the FreeIPA domain. I kinit as admin on the server and try to run an ipa
> commend, and I get back an error that certs are expired :-(
> So, knowing certmonger should run I try to check that certmonger is a
> live, it isn't and messagebus isn't either. (This is an F15 issue so
> only relevant for the following behavior).
> Ok I start messagebus and certmonger and then issue a getcert list ..
> and it says the certs will expire in 2013 ... uhmm strange I think.
> Ok issue the ipa command again, and no luck, it still complains that
> certs are expired.
> So as a last attempt, before trying to manually issue new certs I just
> issue a service httpd restart ... and now the ipa command works again.
> So appaerently this means apache is not able to find out it has new
> certs available, even after the certs it is currently using are expired.
> The question is: should we try to fix apache to be able to reread the
> cert store ? Or should we add to certmonger the ability to restart
> services when it renews certs ? Or when the previous ones finally
> expire ?
> I'd say the former but it might be a lot more difficult than the second.
> Thoughts ?
> Simo.
Please open two bugs. I think we should implement workaround and let
apache address it at its own pace.

Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

Looking to carve out IT costs?

Freeipa-devel mailing list

Reply via email to