[Freeipa-devel] Expired certs and certmonger in FreeIPA
Dmitri Pal
dpal at redhat.com
Mon Oct 31 01:22:12 UTC 2011
On 10/30/2011 12:08 PM, Simo Sorce wrote:
> So my personal home installation is now more than 6 months old.
> How do I know that ? I know because originally we had a 6 months
> expiration period in SSL cert profiles and that was the exp. period of
> all my certs.
>
> So coming home I got a new laptop for my wife and I wanted to put it in
> the FreeIPA domain. I kinit as admin on the server and try to run an ipa
> commend, and I get back an error that certs are expired :-(
>
> So, knowing certmonger should run I try to check that certmonger is a
> live, it isn't and messagebus isn't either. (This is an F15 issue so
> only relevant for the following behavior).
>
> Ok I start messagebus and certmonger and then issue a getcert list ..
> and it says the certs will expire in 2013 ... uhmm strange I think.
>
> Ok issue the ipa command again, and no luck, it still complains that
> certs are expired.
>
> So as a last attempt, before trying to manually issue new certs I just
> issue a service httpd restart ... and now the ipa command works again.
>
> So appaerently this means apache is not able to find out it has new
> certs available, even after the certs it is currently using are expired.
>
> The question is: should we try to fix apache to be able to reread the
> cert store ? Or should we add to certmonger the ability to restart
> services when it renews certs ? Or when the previous ones finally
> expire ?
>
> I'd say the former but it might be a lot more difficult than the second.
>
> Thoughts ?
>
> Simo.
>
Please open two bugs. I think we should implement workaround and let
apache address it at its own pace.
--
Thank you,
Dmitri Pal
Sr. Engineering Manager IPA project,
Red Hat Inc.
-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/
More information about the Freeipa-devel
mailing list