hi, On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> > usercertificate is a multi-valued LDAP attribute but IPA 3.0 only really > operates on the "first" value returned (I didn't look at more recent > versions). In this case it is the 267976717 cert. The other certs shown > without details are for the other serial numbers that cert-find is reporting > I can't see a way that this first usercertificate value isn't revoked and > removed upon renewal so I can't quite figure out how you got into this > state (and so easily as I understand it). I wasn't able to reproduce it > myself. Do you have any idea how wide-spread this is in your infrastructure? > > I can see that once in this state that any "extra" certs would just be > stuck there, never to be revoked. > This is happening all over the place. I guess I will have to script this: retrieve the usercertificate attribute of the host computers, get their 'not before/not after' and serial number values, and revoke the oldest valid ones in case there is more than one valid one. This should not be very hard. I need to monitor the certmonger status as well, a nagios plugin should do the trick. -- Groeten, natxo
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project