David Harvey via FreeIPA-users wrote:
> Well that sounds fun :)
> I'm hesistent to crosspost to pkg-freeipa-de...@lists.alioth.debian.org
> <mailto:pkg-freeipa-de...@lists.alioth.debian.org> to ask after
> likelihood of seeing 4.5 in 18.04/Bionic but hope someone here might be
> able to comment?
> 
> WRT the exploding CA situation. I guess I'll need to get to a more sane
> build, or switch over to a better supported rpm based distro if that's
> not on the cards.. I should be safe in the short term given the standard
> lifetime of an IPA cert I hope!?
> 
> I'll continue to try and dig into why pki-tomcat dies on one but not all
> VMs (ca enabled on 2 of them)

The risk you have isn't with the CA itself expiring but with the support
certificates (OCSP, audit, subsystem, etc). Those have a 2-year validity
period.

rob

> 
> On 1 December 2017 at 13:53, Peter Fern via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
> 
>     Without installing a system to check, it appears to me that nss-pem
>     is still not packaged for Debian/Ubuntu, which means that certmonger
>     will break on you when it comes time to auto-renew your CAs.
> 
>     I found this out the hard way early this year while running FreeIPA
>     with CA on Ubuntu, and recovery is very painful once your CA certs
>     have expired (actually impossible without compiling nss-pem, which
>     requires some source hacking and compiling of libnss to obtain
>     static libs).
> 
>     Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks
>     to me like until FreeIPA 4.5+ is packaged (where the conversion to
>     OpenSSL has been completed), it is still not safe to run a CA on Ubuntu.
> 
> 
>     On 01/12/17 23:27, David Harvey via FreeIPA-users wrote:
>>     hi Peter,
>>
>>     Not a full answer to your questions but from my experience:
>>
>>     Xenial: Worked, except OTP functionality
>>     Zesty: Worked except for DNS
>>     Artful: Seems fully functional and stable on the fresh installed
>>     replica, my upgraded from Zesty rig (with the workarounds noted
>>     earlier in thread) Still has pki-tomcat bombing fairly frequently.
>>     Bionic: I have high hopes for given LTS.. Currently showing same
>>     package versions
>>     
>> <https://packages.ubuntu.com/search?keywords=freeipa&searchon=names&suite=bionic&section=all>
>>     4.4.4 as Artful
>>
>>     Most of them required some cajoling during install or upgrade due
>>     to broken installer components (like directories not being created
>>     in one case, /etc/pki/pki.version confusing postinstall in
>>     another), but most of these behaviours were captured as bugs too. 
>>     It feels very close to being something that can be reliably
>>     deployed, so I don't think it needs a huge amount more TLC to make
>>     it more of a pleasure to install ;)
>>
>>     Cheers,
>>
>>     David
>>
>>     On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users
>>     <freeipa-users@lists.fedorahosted.org
>>     <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>>
>>         On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
>>         > Not sure why tomcat is more resilient when launched as root,
>>         but the
>>         > pki seems to work ok at issuing certs after the above and a
>>         reboot for
>>         > good measure.
>>
>>         This sounds like there are broken permissions in the current
>>         Ubuntu
>>         packages.  You should be aware that last time I checked,
>>         FreeIPA on
>>         Ubuntu was subtly yet severely broken, mostly due to the NSS libs
>>         missing PEM support, which will stop your CA from renewing,
>>         amongst
>>         other things.
>>
>>         Does anyone know what the state of packaging for deb distros is
>>         currently?  Now that the OpenSSL migration is complete(?), the
>>         barriers
>>         to functional packages should be removed, but it looks like
>>         that only
>>         happened in 4.5, and it appears only 4.4 is packaged, which is
>>         likely
>>         still broken?
>>         _______________________________________________
>>         FreeIPA-users mailing list --
>>         freeipa-users@lists.fedorahosted.org
>>         <mailto:freeipa-users@lists.fedorahosted.org>
>>         To unsubscribe send an email to
>>         freeipa-users-le...@lists.fedorahosted.org
>>         <mailto:freeipa-users-le...@lists.fedorahosted.org>
>>
>>
>>
>>
>>     _______________________________________________
>>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>     <mailto:freeopendnssecipa-us...@lists.fedorahosted.org>
>>     To unsubscribe send an email to 
>> freeipa-users-le...@lists.fedorahosted.org
>>     <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
>     _______________________________________________
>     FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>     <mailto:freeipa-users@lists.fedorahosted.org>
>     To unsubscribe send an email to
>     freeipa-users-le...@lists.fedorahosted.org
>     <mailto:freeipa-users-le...@lists.fedorahosted.org>
> 
> 
> 
> 
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to