On 18.7.2016 08:22, Jan Cholasta wrote:
> On 8.7.2016 15:59, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> On 8.7.2016 15:31, Rob Crittenden wrote:
>>>> Petr Spacek wrote:
>>>>> Hi,
>>>>>
>>>>> our docs
>>>>>
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> claim this:
>>>>> "The certmonger service is not used to track certificates.
>>>>> Therefore, it does
>>>>> not warn you of impending certificate expiration."
>>>>>
>>>>> Is this correct?
>>>>>
>>>>> Can we at least configure certmonger to passively track the
>>>>> certificates and
>>>>> throw warning about impending expiration into logs?
> 
> +1, I have already suggested we do this several times.
> 
>>>>>
>>>>
>>>> Throw a warning where? Register an e-mail address as part of the
>>>> tracking
>>>> perhaps?
>>>>
>>>> It would probably be fairly easy to write a "CA" that sends an
>>>> e-mail. The
>>>> trick, and this has always tripped us up, is having an MTA configured.
>>>
>>> I would start with logs, as I wrote in the original message. This will
>>> naturally evolve into something else when we finally get
>>> user-configurable hooks.
>>>
>>> In any case, having certmonger configured to track the certs is
>>> prerequisite
>>> for all cases...
>>
>> "Logs" is not very specific, do you mean syslog/journal?
>>
>> Feel free to open an RFE against certmonger with your proposal. I
>> suspect that anything logged will just get lost in most cases.

Finally, here is the ticket:
https://fedorahosted.org/certmonger/ticket/59

> For IPA CA certificate, we log warnings to syslog with ALERT level. I think
> doing that for other certs would be good enough for starters.

-- 
Petr^2 Spacek

-- 
Manage your subscription for the Freeipa-devel mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-devel
Contribute to FreeIPA: http://www.freeipa.org/page/Contribute/Code

Reply via email to