Yes "Removing self-signed CA.” is there. Our configuration may have confused the upgrader.
We initially did a default install, which sets up certificate management with a self-signed cert. Then we moved to a commercial certificate, which was a documented procedure. So one of our 3 servers actually has a CA authority running, but as far as I know we don’t use it (unless it’s used for the self-signed certificates used by “kinit -a”). There were bugs with this particular pattern in previous releases. One of my replica installs was a mess and required lots of hand fixups, and one of the first upgrades did also. Maybe this is a remnant of that. I haven’t had any issues with upgrades in recent releases. I have no idea what at the next replica-install is going to look like. I guess I’ll have to do that when we move to Centos 8. As long as we’re OK with ra_plugin = dogtag dogtag_version = 10 enable_ra = True and it won’t cause trouble for future upgrades, I’m fine. I took those lines from the other non-CA replica, so I assume it’s OK. On Aug 28, 2019, at 4:38 PM, Rob Crittenden <rcrit...@redhat.com<mailto:rcrit...@redhat.com>> wrote: Hard to know for sure. It looks like the upgrader will set that when uninstalling the old selfsign CA. That might still be in /var/log/ipaupgrade.log. Look for "Removing self-signed CA. Certificates will need to managed manually."
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
