Alexander Bokovoy via FreeIPA-users wrote: > On ke, 11 maalis 2020, Rob Crittenden wrote: >> Alexander Bokovoy wrote: >>> On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: >>>>> Makes me look at this a different way. Perhaps change the certstore to >>>>> only return valid CA certs. That way they are stored if anyone ever >>>>> wants them but they won't get pulled down for ipa-certupdate or >>>>> ipaclilent-install. >>>>> >>>>> Or to try the ipa-cacert-manage route, it was mostly the UI part >>>>> for why >>>>> I didn't do it. I wasn't sure if the best way would be to >>>>> interactively >>>>> show each cert and do a delete Y/N or what. Perhaps a delete with >>>>> --expired-only to do the cleanup. I'm open to suggestions. >>>>> >>>>> rob >>>>> >>>> >>>> I think it's fine to change ipa-certupdate so it skips expired / >>>> not-yet-valid certs. >>>> >>>> IMO we should never automatically prune expired certs from the LDAP >>>> trust store, so that if customer needs to do time travel to fix an >>>> issue, the old CA certs will still be there and an ipa-certupdate >>>> will "restore" them to the various certificate DBs. >>>> >>>> And for the same reason, I'd be hesitant to offer a UI to prune >>>> expired certs from the trust store. >>> >>> I agree. So, we still need a ticket for ipa-certupdate to gain an >>> explicit option to ignore expired certs. >>> >>> >> >> IMHO it should be the default for certstore.get_ca_certs(). I opened >> https://pagure.io/freeipa/issue/8223 >> >> I don't know of a case where we would want to fetch non-valid CA >> certificates, please update the ticket if you know of any. > > Valid from which point of view? A system we run on? E.g. based on the > local time setup? >
Correct, local time. Francois updated the issue to indicate that the expired CA first causes issues. I wonder if we should test sorting by expiration date instead. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
