Well that sounds fun :)
I'm hesistent to crosspost to pkg-freeipa-devel(a)lists.alioth.debian.org
<mailto:pkg-freeipa-devel@lists.alioth.debian.org> to ask after
likelihood of seeing 4.5 in 18.04/Bionic but hope someone here might be
able to comment?
WRT the exploding CA situation. I guess I'll need to get to a more sane
build, or switch over to a better supported rpm based distro if that's
not on the cards.. I should be safe in the short term given the standard
lifetime of an IPA cert I hope!?
I'll continue to try and dig into why pki-tomcat dies on one but not all
VMs (ca enabled on 2 of them)
The risk you have isn't with the CA itself expiring but with the support
certificates (OCSP, audit, subsystem, etc). Those have a 2-year validity
period.
rob
On 1 December 2017 at 13:53, Peter Fern via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Without installing a system to check, it appears to me that nss-pem
is still not packaged for Debian/Ubuntu, which means that certmonger
will break on you when it comes time to auto-renew your CAs.
I found this out the hard way early this year while running FreeIPA
with CA on Ubuntu, and recovery is very painful once your CA certs
have expired (actually impossible without compiling nss-pem, which
requires some source hacking and compiling of libnss to obtain
static libs).
Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks
to me like until FreeIPA 4.5+ is packaged (where the conversion to
OpenSSL has been completed), it is still not safe to run a CA on Ubuntu.
On 01/12/17 23:27, David Harvey via FreeIPA-users wrote:
> hi Peter,
>
> Not a full answer to your questions but from my experience:
>
> Xenial: Worked, except OTP functionality
> Zesty: Worked except for DNS
> Artful: Seems fully functional and stable on the fresh installed
> replica, my upgraded from Zesty rig (with the workarounds noted
> earlier in thread) Still has pki-tomcat bombing fairly frequently.
> Bionic: I have high hopes for given LTS.. Currently showing same
> package versions
>
<
https://packages.ubuntu.com/search?keywords=freeipa&searchon=names&am...
> 4.4.4 as Artful
>
> Most of them required some cajoling during install or upgrade due
> to broken installer components (like directories not being created
> in one case, /etc/pki/pki.version confusing postinstall in
> another), but most of these behaviours were captured as bugs too.
> It feels very close to being something that can be reliably
> deployed, so I don't think it needs a huge amount more TLC to make
> it more of a pleasure to install ;)
>
> Cheers,
>
> David
>
> On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> wrote:
>
> On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
> > Not sure why tomcat is more resilient when launched as root,
> but the
> > pki seems to work ok at issuing certs after the above and a
> reboot for
> > good measure.
>
> This sounds like there are broken permissions in the current
> Ubuntu
> packages. You should be aware that last time I checked,
> FreeIPA on
> Ubuntu was subtly yet severely broken, mostly due to the NSS libs
> missing PEM support, which will stop your CA from renewing,
> amongst
> other things.
>
> Does anyone know what the state of packaging for deb distros is
> currently? Now that the OpenSSL migration is complete(?), the
> barriers
> to functional packages should be removed, but it looks like
> that only
> happened in 4.5, and it appears only 4.4 is packaged, which is
> likely
> still broken?
> _______________________________________________
> FreeIPA-users mailing list --
> freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to
> freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> <mailto:freeopendnssecipa-users@lists.fedorahosted.org>
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org