Nevermind, it appears there may be some minimum amount of time before certmonger looks at a cert, and the amount of time is greater than my 10 minutes. I'll watch the logs overnight and adjust certificate validity to be slightly longer and continue my testing. Sorry for the noise!
On Tue, Aug 30, 2022 at 5:52 PM IPA Listmail <[email protected]> wrote: > client: el8 > ipa server: el7 > > I created a cert via: > sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname > -f)\ > -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\ > -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem > > Everything about the cert _appears_ to be fine. Openssl output looks > normal and the puppet agent runs fine. > > During testing I have radically reduced the certificate validity down to > 10 minutes. The output of ipa-getcert list is: > > Number of certificates and requests being tracked: 1. > Request ID '20220830202305': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem' > > certificate: > type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem' > > CA: IPA > issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619 > subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM > 20220829230619 > issued: 2022-08-30 21:29:11 UTC > expires: 2022-08-30 21:39:11 UTC > dns: ip-10-0-82-56.eu-west-1.compute.internal > principal name: host/ > [email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > However, it never actually updates before (or after) expiration. I have > tried restarting the service and rebooting. This is happening on two hosts. > I see no failures in the log or anything in the log after the last resubmit > command. I have manually used rekey and resubmit. Both worked fine. Using a > blog post from Fraser, I tried start-tracking with --no-renew, then > --renew. I looked for errors. The only thing that seem kind of odd to me is > in /var/lib/certmonger/requests/20220830202305: > last_need_notify_check=20220830205312 > last_need_enroll_check=20220830205312 > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
