Dungan, Scott A. via FreeIPA-users wrote: > In the process of getting ready to upgrade a 3-replica, RHEL8-based IPA > domain to RHEL9, we noticed that the replica assigned as the CA renewal > master, has ca.certStatusUpdateInterval=0 set in > /etc/pki/pki-tomcat/ca/CS.cfg: > > > > idm3 ~]$ ipa config-show | grep 'CA renewal' > > IPA CA renewal master: idm3.id.int > > > > idm3 ~]# cat /etc/pki/pki-tomcat/ca/CS.cfg | grep > ca.certStatusUpdateInterval > > ca.certStatusUpdateInterval=0 > > > > One of the other replicas (idm1) is missing this entry completely, which > presumably means that it is defaulting to 600 seconds. We suspect that > the idm1 replica was the CA renewal master at some point, but that role > was migrated to the idm3 replica abd the configuration for the > certificate updater task wasnt set/migrated. > > > > Questions: > > > > 1. Is the fix as simple as adding ca.certStatusUpdateInterval=0 to idm1 > and removing the entry (or setting to 600) on idm3 and restarting > IdM services?
This isn't related to CA renewal, only CRL generation and certificate status updates. Though typically the CA renewal master and CRL generator servers are the same. It should not be present on your CRL generator CS.cfg. The other servers should have it set to 0 to disable it. You may want to double-check that the CRL generator also has ca.crl.MasterCRL.enableCRLCache=true, ca.crl.MasterCRL.enableCRLUpdates=true and ca.listenToCloneModifications=true The other servers should have these as false. This was addressed upstream in https://pagure.io/freeipa/issue/9569 but it isn't in RHEL 8. rob > 2. Since we have being running with this configuration for 3-ish years? > Anything we should look out for? I assume that you aren't using CRLs so it is probably not a big deal either way. rob > > > > Thanks, > > > > S > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
