On 01/15/2016 05:34 PM, Peter Pakos wrote:
> On 15/01/2016 15:55, Rob Crittenden wrote:
>>> I've re-run ipa-certupdate in verbose mode and I could see that it
>>> removes all certificates in different databases (/etc/httpd/alias,
>>> /etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
>>> from /etc/pki/pki-tomcat/alias).
>> Yup, looks like this part is missing. Perhaps the assumption was that
>> the CA would be authoritative in this regard.
> Is this a bug? Should this be logged somewhere so it can be looked into?
>> Updating the CA certs you'd want to add them to LDAP, replacing the
>> older ones, and then ipa-certupdate will do the rest. You'd need to run
>> this on all clients and servers.
> This sounds like a lot of manual work will be involved when it comes to 
> renewal.
> And without clear and up-to-date information and possibly step-by-step
> instructions the effort needed to get this sorted is doubled.
> Please note that it took us many hours to get a 3rd party SSL certificate
> installed (you would think a very simple task). And the truth is that without
> this mailing list and #freeipa channel we would still be stuck trying to get 
> to
> the bottom of this.

CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to