Adam Bishop via FreeIPA-users wrote:
We're in the process of decomissioning our oldest IPA servers
(built in 2014). We've migrated the roles successfully and are making sure everything
is ready to switch over to the new set, and just wanted to check a few
observations/inconsistencies.
Migrating from what to what version?
* On some of our newer clients /etc/ipa/ca.crt contains the root and the server
certificate of the enrolment server instead of just the root - did the behaviour of
ipa-client-install change at some point?
What version of the client? Can we see the client install log?
* Our root contains the OCSP URI of one of the servers to be
decomissioned in the Authority Information Access field. My understanding is that a client
would never do an OCSP lookup on a root certificate so do we need to re-sign or add a
CNAME prior to switching off?
OSCP is not enabled on IPA clients by default but that doesn't mean it
can never be used. I'd add a CNAME to be on the safe side.
* When enroling a client, ipa-client-install pulls down an expired RA
certificate - however /var/lib/ipa/ra-agent.pem on all servers is current. Where might the
expired cert be stored? Doesn't appear to cause an issue in any case.
Can we see the client install log? It should never attempt to pull the
RA certificate.
rob