On Fri, 05 Sep 2014, Martin Kosek wrote:
On 09/04/2014 05:13 PM, Rob Crittenden wrote:
Jan Cholasta wrote:

Dne 3.9.2014 v 21:23 Rob Crittenden napsal(a):
No longer request and install a cert for the IPA client machine.


The original plan was to keep generating the certificate, but in
/etc/ipa/nssdb instead of /etc/pki/nssdb (see the attached patch).

I'm fine with either approach.

The cert has never been used and is now actively causing issues in
RHEL-7 with systemd and kickstart. It could be made optional, and move
the location, but IMHO its time has come.


One change that Rob's patch also do is that from now on, certmonger would not
be enabled and running by default on client machines. It would only be enabled
on IPA server.

I am still not confident about the resolution to just stop generating the
certificate, I was leaning more towards making it optional + generating to
better database as Honza proposed.

Simo, Alexander, what is your take on this?
I'm fine with making it optional. However, on client machine upgrades do
not stop and disable certmonger if it is tracking more than just the
host certificate.

/ Alexander Bokovoy

Freeipa-devel mailing list

Reply via email to