Bob Strachan via FreeIPA-users wrote: > Rob and Jochen, > > Thank you both for your speedy reply. > > My IDM system seems to be working fine. I can issue certs. My concern is > with the two CS.cfg files, as I have no idea what they are for. I don't > know if the csr blobs in CS.cfg are necessary or if they need to be in sync > with the cert blobs I manually updated.
A CSR is a Certificate Signing Request. You don't want or need to touch these. > > After reading Jochen's notes, and my experience, I am guessing that the > renewal master updates the .../kra/conf/CS.cfg but not the kra CS.cfg files > on the other replicas. I am also guessing that my renewal server was a > fresh install and it hit the bug: > https://bugzilla.redhat.com/show_bug.cgi?id=1871188 Each subsystem (kra, ca) has only one CS.cfg. This is the subsystem configuration file which defines how it works. > > So I am still wondering, what are the CS.cfg files for???? I > > I would guess that they might be called when using ipa-cert-fix, but I am not > skilled enough to unpack what ipa-cert-fix does. If the CS.cfg files are > full deprecated on a Rhel 8.6 replicated IDM system, then I would like to > know, so I can relax. CS.cfg is a configuration file for each subsystem. It is definitely not deprecated. Whether certain values within the file are important is another matter. It is unclear how important the cert blobs are but we try to keep them up to date for neatness. Except for KRA which I totally missed doing. It does not appear to result in any problems though, beyond healthcheck mentioning it. Healthcheck is not an end-all-be-all grade of IPA health. It is a set of common things that cause problems that we can easily check on and report. There may be things missing and there may be false positives. The point is to keep admins watching for issues before they become major problems. > > As for advancing the certmonger configuration, It appears that my certs > should get renewed in 7 days. As such, I will just wait for the 7 days and > see if the renewal works. I have no expectation that the kra CS.cfg file > will get updated. > I can almost guarantee it won't because the issue Jochen filed hasn't been addressed yet. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
