On 01/15/2016 05:34 PM, Peter Pakos wrote: > On 15/01/2016 15:55, Rob Crittenden wrote: >>> I've re-run ipa-certupdate in verbose mode and I could see that it >>> removes all certificates in different databases (/etc/httpd/alias, >>> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart >>> from /etc/pki/pki-tomcat/alias). >> >> Yup, looks like this part is missing. Perhaps the assumption was that >> the CA would be authoritative in this regard. > > Is this a bug? Should this be logged somewhere so it can be looked into? > >> Updating the CA certs you'd want to add them to LDAP, replacing the >> older ones, and then ipa-certupdate will do the rest. You'd need to run >> this on all clients and servers. > > This sounds like a lot of manual work will be involved when it comes to > renewal. > > And without clear and up-to-date information and possibly step-by-step > instructions the effort needed to get this sorted is doubled. > > Please note that it took us many hours to get a 3rd party SSL certificate > installed (you would think a very simple task). And the truth is that without > this mailing list and #freeipa channel we would still be stuck trying to get > to > the bottom of this. >
CCing Honza. Do we have all the respective tickets filed, so that we can improve and speed up the user experience? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
