Well that sounds fun :)
I'm hesistent to crosspost to pkg-freeipa-de...@lists.alioth.debian.org to
ask after likelihood of seeing 4.5 in 18.04/Bionic but hope someone here
might be able to comment?

WRT the exploding CA situation. I guess I'll need to get to a more sane
build, or switch over to a better supported rpm based distro if that's not
on the cards.. I should be safe in the short term given the standard
lifetime of an IPA cert I hope!?

I'll continue to try and dig into why pki-tomcat dies on one but not all
VMs (ca enabled on 2 of them)

On 1 December 2017 at 13:53, Peter Fern via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Without installing a system to check, it appears to me that nss-pem is
> still not packaged for Debian/Ubuntu, which means that certmonger will
> break on you when it comes time to auto-renew your CAs.
>
> I found this out the hard way early this year while running FreeIPA with
> CA on Ubuntu, and recovery is very painful once your CA certs have expired
> (actually impossible without compiling nss-pem, which requires some source
> hacking and compiling of libnss to obtain static libs).
>
> Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks to me
> like until FreeIPA 4.5+ is packaged (where the conversion to OpenSSL has
> been completed), it is still not safe to run a CA on Ubuntu.
>
>
> On 01/12/17 23:27, David Harvey via FreeIPA-users wrote:
>
> hi Peter,
>
> Not a full answer to your questions but from my experience:
>
> Xenial: Worked, except OTP functionality
> Zesty: Worked except for DNS
> Artful: Seems fully functional and stable on the fresh installed replica,
> my upgraded from Zesty rig (with the workarounds noted earlier in thread)
> Still has pki-tomcat bombing fairly frequently.
> Bionic: I have high hopes for given LTS.. Currently showing same package
> versions
> <https://packages.ubuntu.com/search?keywords=freeipa&searchon=names&suite=bionic&section=all>
> 4.4.4 as Artful
>
> Most of them required some cajoling during install or upgrade due to
> broken installer components (like directories not being created in one
> case, /etc/pki/pki.version confusing postinstall in another), but most of
> these behaviours were captured as bugs too.  It feels very close to being
> something that can be reliably deployed, so I don't think it needs a huge
> amount more TLC to make it more of a pleasure to install ;)
>
> Cheers,
>
> David
>
> On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
>> On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
>> > Not sure why tomcat is more resilient when launched as root, but the
>> > pki seems to work ok at issuing certs after the above and a reboot for
>> > good measure.
>>
>> This sounds like there are broken permissions in the current Ubuntu
>> packages.  You should be aware that last time I checked, FreeIPA on
>> Ubuntu was subtly yet severely broken, mostly due to the NSS libs
>> missing PEM support, which will stop your CA from renewing, amongst
>> other things.
>>
>> Does anyone know what the state of packaging for deb distros is
>> currently?  Now that the OpenSSL migration is complete(?), the barriers
>> to functional packages should be removed, but it looks like that only
>> happened in 4.5, and it appears only 4.4 is packaged, which is likely
>> still broken?
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to