Without installing a system to check, it appears to me that nss-pem is still not packaged for Debian/Ubuntu, which means that certmonger will break on you when it comes time to auto-renew your CAs.

I found this out the hard way early this year while running FreeIPA with CA on Ubuntu, and recovery is very painful once your CA certs have expired (actually impossible without compiling nss-pem, which requires some source hacking and compiling of libnss to obtain static libs).

Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks to me like until FreeIPA 4.5+ is packaged (where the conversion to OpenSSL has been completed), it is still not safe to run a CA on Ubuntu.

On 01/12/17 23:27, David Harvey via FreeIPA-users wrote:
hi Peter,

Not a full answer to your questions but from my experience:

Xenial: Worked, except OTP functionality
Zesty: Worked except for DNS
Artful: Seems fully functional and stable on the fresh installed replica, my upgraded from Zesty rig (with the workarounds noted earlier in thread) Still has pki-tomcat bombing fairly frequently.
Bionic: I have high hopes for given LTS.. Currently showing same package versions 4.4.4 as Artful

Most of them required some cajoling during install or upgrade due to broken installer components (like directories not being created in one case, /etc/pki/pki.version confusing postinstall in another), but most of these behaviours were captured as bugs too.  It feels very close to being something that can be reliably deployed, so I don't think it needs a huge amount more TLC to make it more of a pleasure to install ;)

Cheers,

David

On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:
On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
> Not sure why tomcat is more resilient when launched as root, but the
> pki seems to work ok at issuing certs after the above and a reboot for
> good measure.

This sounds like there are broken permissions in the current Ubuntu
packages.  You should be aware that last time I checked, FreeIPA on
Ubuntu was subtly yet severely broken, mostly due to the NSS libs
missing PEM support, which will stop your CA from renewing, amongst
other things.

Does anyone know what the state of packaging for deb distros is
currently?  Now that the OpenSSL migration is complete(?), the barriers
to functional packages should be removed, but it looks like that only
happened in 4.5, and it appears only 4.4 is packaged, which is likely
still broken?
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org