Thanks for the quick reply and clarifying, Rob. I think we were simply confused by the CRL generator role being on a different replica from the CA renewal master while following the official RHEL8 to RHEL9 migration guide. Those other three parameters are present on the CRL generator and you're correct that we aren't using CRLs anyway.
Cheers, Scott Dungan, Scott A. via FreeIPA-users wrote: > In the process of getting ready to upgrade a 3-replica, RHEL8-based > IPA domain to RHEL9, we noticed that the replica assigned as the CA > renewal master, has ca.certStatusUpdateInterval=0 set in > /etc/pki/pki-tomcat/ca/CS.cfg: > > > > idm3 ~]$ ipa config-show | grep 'CA renewal' > > IPA CA renewal master: idm3.id.int > > > > idm3 ~]# cat /etc/pki/pki-tomcat/ca/CS.cfg | grep > ca.certStatusUpdateInterval > > ca.certStatusUpdateInterval=0 > > > > One of the other replicas (idm1) is missing this entry completely, > which presumably means that it is defaulting to 600 seconds. We > suspect that the idm1 replica was the CA renewal master at some point, > but that role was migrated to the idm3 replica abd the configuration > for the certificate updater task wasn't set/migrated. > > > > Questions: > > > > 1. Is the fix as simple as adding ca.certStatusUpdateInterval=0 to idm1 > and removing the entry (or setting to 600) on idm3 and restarting > IdM services? This isn't related to CA renewal, only CRL generation and certificate status updates. Though typically the CA renewal master and CRL generator servers are the same. It should not be present on your CRL generator CS.cfg. The other servers should have it set to 0 to disable it. You may want to double-check that the CRL generator also has ca.crl.MasterCRL.enableCRLCache=true, ca.crl.MasterCRL.enableCRLUpdates=true and ca.listenToCloneModifications=true The other servers should have these as false. This was addressed upstream in https://pagure.io/freeipa/issue/9569 but it isn't in RHEL 8. rob > 2. Since we have being running with this configuration for 3-ish years? > Anything we should look out for? I assume that you aren't using CRLs so it is probably not a big deal either way. rob > > > > Thanks, > > > > S > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
