Natxo Asenjo wrote:
On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden <rcrit...@redhat.com
usercertificate is a multi-valued LDAP attribute but IPA 3.0 only
really operates on the "first" value returned (I didn't look at more
recent versions). In this case it is the 267976717 cert. The other
certs shown without details are for the other serial numbers that
cert-find is reporting
I can't see a way that this first usercertificate value isn't
revoked and removed upon renewal so I can't quite figure out how you
got into this state (and so easily as I understand it). I wasn't
able to reproduce it myself. Do you have any idea how wide-spread
this is in your infrastructure?
I can see that once in this state that any "extra" certs would just
be stuck there, never to be revoked.
This is happening all over the place.
I guess I will have to script this: retrieve the usercertificate
attribute of the host computers, get their 'not before/not after' and
serial number values, and revoke the oldest valid ones in case there is
more than one valid one. This should not be very hard.
I need to monitor the certmonger status as well, a nagios plugin should
do the trick.
You may want to open a bug against RHEL 6 on this as well.
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project