On 1/2/20 7:24 AM, Rob Foehl via FreeIPA-users wrote:
Went to renew an externally-signed IPA CA certificate that was valid
through today, and discovered that FreeIPA had decided to renew it with
a self-signed cert a month ago, and had since reissued all other
subsystem certs against that self-signed CA.
That is surprising, maybe there was a tracking request that triggered
the renewal to self-signed. Can you check now if the self-signed CA is
tracked? (It should not)
After running through the
ipa-cacert-manage renew dance and ipa-certupdate, the system store now
contains the following certs, in this order:
- old, now-expired IPA CA cert
- old, soon-to-be-expired external CA root cert
- self-signed IPA cert
- new IPA CA cert
- new external CA root cert
There's also a chicken-and-egg problem with trying to renew anything, in
that all new requests are signed with the self-signed IPA CA instead of
the new intermediate IPA CA.
As far as I understand, the private key of IPA CA does not change even
when the CA is renewed from self-signed to externally-signed (or the
reverse), and this means that the same key is used to issue the IPA
certs. In that case, there is no difference if a cert was signed with
the old or the new CA cert.
What makes you think that the new requests are signed with the
self-signed IPA CA?
Do you have any issue when you try to renew other certs?
flo
How do I unravel this, and completely purge the self-signed cert from
existence? Why did FreeIPA try to renew the intermediate CA cert on its
own, and why did it succeed?
(This is FreeIPA 4.7.2 on Fedora 29, which I'm stuck with until the CA
chains are sorted out -- upgrading is still a manual replica replacement
process, since ipa-server-upgrade and friends *still* insist on
verifying a CA lifetime of >2 years, inexplicable behavior reported
years ago...)
-Rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
