Hi, On Thu, Jul 4, 2024 at 10:18 AM Thomas Boroske via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> Dear Mailing List, > > we are running a freeipa installation using two ipa master servers. > Neither the dns feature nor the CA feature are being used. > VERSION: 4.6.8, API_VERSION: 2.237 > > Both ipa servers have ssl/tls certs associated with them that are signed > by an external CA. > > Since these certs expire after 12 month, I had to install new certificates > multiple times, and I have been doing that using > > ipa-server-certinstall -w -d ipa1.p12 > > This usually works. as in, the new cert shows up in the IPA web ui and the > ipa tools (at least some of which work via the https interface) also > continue to work. > > However, I just noticed that the certificates being displayed for the ipa > servers both in ipa service-find and in the IPA web UI are old certs that > are long expired (in 2021). > > So my question is > > a) Why is this the case, isn't ipa-serrver-certinstall supposed to take > care of it? > This is a known issue, reported at #9417 <https://pagure.io/freeipa/issue/9417> ipa-server-certinstall does not update service entries in LDAP Work started at https://github.com/freeipa/freeipa/pull/6920 but other tasks with higher priority came in and delayed the fix. flo b) Why is it still working like that? > c) Why are the certs that are actually used for the web interface not > visible anywhere, or where are they? > > Do I maybe need to use the option -k (for kdc) too when doing > ipa-server-certinstall? > If so, can I fix it now by just re-running with that option? > Are there risks in doing so? > > My understanding if FreeIPA is spotty I have to say as there are multiple > complex technologies put together (kerberos, ldap, ...). > > Many thanks for any help, > > Thomas > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
