Rob Foehl wrote:
> On Fri, 9 Jun 2017, I wrote:
>> In short, that didn't go particularly well at all, which in some ways
>> brings me back to the original as-yet-unanswered deployment question:
>> Is trying to do this with an external CA worth the pain?
> Three attempts at this question, and zero answers...

Things slip through the cracks.

> Can I at least get a yes or no on whether external CA certificate
> renewal has ever been tested when that certificate is nearing expiration?

Yes. I tested this with IPA v3.0. Did it break in between? Possible.

As I pointed out certmonger is unaware of the certificate chain and
focuses only on the cert not-after date and resubmits the CSR to the CA
that issued the certificate originally.

> I just duplicated last week's result using an earlier snapshot of the
> same VM and a renewed CA cert with a 3-day validity.  certmonger ignored
> every other cert that it already renewed once with the original CA;
> whole system is hosed after the original cert expires.  It's probably
> possible to recover by manually replacing every certificate, but I
> haven't had time to try that.

certmonger checks at days 28, 7, 3, 2 and 1 before expiration by default
for certificate expiration so it should have looked at the certs at
least two times, three depending on timing (and really, it's seconds
before expiration). Did you let the system sit for 3 days before things
died? Was anything logged to syslog? Moving time forward a day at a time
is insufficient to test this without restarting certmonger.

Even in a worst-case scenario, where all the certs expire, it is a
fairly straightforward process to get the services back up by going back
in time, renewing the IPA CA then restarting certmonger to renew the
service certificates.

Is it perfect? No. A search of the users forum should make that
apparent. It has been difficult to reproduce the failures because it's
difficult to simulate by moving time around. Several years ago I left
VMs running for months to try to simulate failures and it always worked
for me.

Note too that there is a difference between certmonger and the renewals.
certmonger renews certs but there are helpers that need to fire off to
update information within IPA as well and to distribute updated
certificates to replicas. These scripts were updated significantly since
I wrote them to be much more robust in terms of reliability and logging.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to