I think I found the issue (posting here in case someone else runs into something similar). It's Apple's doing. https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/
Basically, I have my default certificate date length to 4 years (since our environment is small and these rarely ever change). In any case, this is no-good with Apple starting with Catalina. ------ (from the link) ----- For certificates issued after 2019-07-01: The ExtendedKeyUsage extension must be present, with the id-kp-ServerAuth OID. The validity period may not be longer than 825 days. ----- ----- So, I guess I'm going to have to _actually_ revoke a bunch of certs and re-issue them as 2 year certs instead in order to satisfy my MacOS users (which is quite a few). This is a serious pain, but I thought I would post here just in case anyone else with an internal CA (and using longer cert expiration lengths) isn't aware. Thanks for helping me troubleshoot and verify the IPA side of things! -- Chris On Wed, Feb 12, 2020 at 6:39 PM Fraser Tweedale <ftwee...@redhat.com> wrote: > > On Wed, Feb 12, 2020 at 05:54:34PM -0500, Christopher Young wrote: > > Interesting enough, I don't get this problem on my Fedora workstation > > or a co-worker on a Windows-based system, so I'm currently > > troubleshooting it as an issue on the Mac (which has Symantec Endpoint > > Protection on it that I _wonder_ might be doing something here) until > > I prove otherwise. I would like to be able to validate everything as > > much as possible to eliminate the FreeIPA environment. > > > Is it possible to disable the Symantic Endpoint Protection and see > if the problem goes away? Or to somehow trace the program to to > obtain evidence for or against the hypothesis? > > Cheers, > Fraser > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
