On 18.1.2016 09:07, Martin Kosek wrote:
On 01/15/2016 05:34 PM, Peter Pakos wrote:
On 15/01/2016 15:55, Rob Crittenden wrote:
I've re-run ipa-certupdate in verbose mode and I could see that it
removes all certificates in different databases (/etc/httpd/alias,
/etc/pki/nssdb, /etc/pki/pki-tomcat/alias) and then re-adds them (apart
from /etc/pki/pki-tomcat/alias).


Yup, looks like this part is missing. Perhaps the assumption was that
the CA would be authoritative in this regard.

Is this a bug? Should this be logged somewhere so it can be looked into?

Yes, <https://fedorahosted.org/freeipa/ticket/5600>.


Updating the CA certs you'd want to add them to LDAP, replacing the
older ones, and then ipa-certupdate will do the rest. You'd need to run
this on all clients and servers.

This sounds like a lot of manual work will be involved when it comes to renewal.

And without clear and up-to-date information and possibly step-by-step
instructions the effort needed to get this sorted is doubled.

Please note that it took us many hours to get a 3rd party SSL certificate
installed (you would think a very simple task). And the truth is that without
this mailing list and #freeipa channel we would still be stuck trying to get to
the bottom of this.


CCing Honza. Do we have all the respective tickets filed, so that we can
improve and speed up the user experience?

There's <https://fedorahosted.org/freeipa/ticket/4322> for automatic CA certificate distribution and <https://fedorahosted.org/freeipa/ticket/4785> and <https://fedorahosted.org/freeipa/ticket/4786> for ipa-server-certinstall fixes.

If there's anything missing, pleaes file a new ticket.

--
Jan Cholasta

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to