I've got a test instance of FreeIPA 4.4.4 running on F25 that was installed with --external-ca, and the resulting CSR signed with a validity period of 30 days to test behavior around expirations.

Upon booting that instance today, certmonger decided to preemptively renew every IPA cert -- which is a good thing -- but did so without waiting for renewal of the IPA CA cert first, which is less good. Now that instance has a pile of certs that expire in two weeks, since they were signed with and thus tied to the expiration of the old IPA CA cert.

While I'm guessing certmonger will figure this out and do the right thing within a couple weeks -- and with the expectation that this would only happen once per IPA CA renewal with a "real" deployment -- is this the intended behavior?

Logs are a bit of a mess between this and a potentially-resolved SELinux issue with certmonger, but I'll wedge them all into a proper bug report if desired.

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to