In the process of getting ready to upgrade a 3-replica, RHEL8-based IPA domain to RHEL9, we noticed that the replica assigned as the CA renewal master, has ca.certStatusUpdateInterval=0 set in /etc/pki/pki-tomcat/ca/CS.cfg:
idm3 ~]$ ipa config-show | grep 'CA renewal' IPA CA renewal master: idm3.id.int idm3 ~]# cat /etc/pki/pki-tomcat/ca/CS.cfg | grep ca.certStatusUpdateInterval ca.certStatusUpdateInterval=0 One of the other replicas (idm1) is missing this entry completely, which presumably means that it is defaulting to 600 seconds. We suspect that the idm1 replica was the CA renewal master at some point, but that role was migrated to the idm3 replica abd the configuration for the certificate updater task wasn't set/migrated. Questions: 1. Is the fix as simple as adding ca.certStatusUpdateInterval=0 to idm1 and removing the entry (or setting to 600) on idm3 and restarting IdM services? 2. Since we have being running with this configuration for 3-ish years? Anything we should look out for? Thanks, S
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
