Adam Bishop via FreeIPA-users wrote: > We're in the process of decomissioning our oldest IPA servers (built in > 2014). We've migrated the roles successfully and are making sure everything > is ready to switch over to the new set, and just wanted to check a few > observations/inconsistencies.
Migrating from what to what version? > > * On some of our newer clients /etc/ipa/ca.crt contains the root and the > server certificate of the enrolment server instead of just the root - did the > behaviour of ipa-client-install change at some point? What version of the client? Can we see the client install log? > * Our root contains the OCSP URI of one of the servers to be decomissioned in > the Authority Information Access field. My understanding is that a client > would never do an OCSP lookup on a root certificate so do we need to re-sign > or add a CNAME prior to switching off? OSCP is not enabled on IPA clients by default but that doesn't mean it can never be used. I'd add a CNAME to be on the safe side. > * When enroling a client, ipa-client-install pulls down an expired RA > certificate - however /var/lib/ipa/ra-agent.pem on all servers is current. > Where might the expired cert be stored? Doesn't appear to cause an issue in > any case. Can we see the client install log? It should never attempt to pull the RA certificate. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
