David Harvey via FreeIPA-users wrote:
> Well that sounds fun :)
> I'm hesistent to crosspost to pkg-freeipa-devel@lists.alioth.debian.org
> <mailto:pkg-freeipa-devel@lists.alioth.debian.org > to ask after
> likelihood of seeing 4.5 in 18.04/Bionic but hope someone here might be
> able to comment?
>
> WRT the exploding CA situation. I guess I'll need to get to a more sane
> build, or switch over to a better supported rpm based distro if that's
> not on the cards.. I should be safe in the short term given the standard
> lifetime of an IPA cert I hope!?
>
> I'll continue to try and dig into why pki-tomcat dies on one but not all
> VMs (ca enabled on 2 of them)
The risk you have isn't with the CA itself expiring but with the support
certificates (OCSP, audit, subsystem, etc). Those have a 2-year validity
period.
rob
>
> On 1 December 2017 at 13:53, Peter Fern via FreeIPA-users
> <freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org >> wrote:
>
> Without installing a system to check, it appears to me that nss-pem
> is still not packaged for Debian/Ubuntu, which means that certmonger
> will break on you when it comes time to auto-renew your CAs.
>
> I found this out the hard way early this year while running FreeIPA
> with CA on Ubuntu, and recovery is very painful once your CA certs
> have expired (actually impossible without compiling nss-pem, which
> requires some source hacking and compiling of libnss to obtain
> static libs).
>
> Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks
> to me like until FreeIPA 4.5+ is packaged (where the conversion to
> OpenSSL has been completed), it is still not safe to run a CA on Ubuntu.
>
>
> On 01/12/17 23:27, David Harvey via FreeIPA-users wrote:
>> hi Peter,
>>
>> Not a full answer to your questions but from my experience:
>>
>> Xenial: Worked, except OTP functionality
>> Zesty: Worked except for DNS
>> Artful: Seems fully functional and stable on the fresh installed
>> replica, my upgraded from Zesty rig (with the workarounds noted
>> earlier in thread) Still has pki-tomcat bombing fairly frequently.
>> Bionic: I have high hopes for given LTS.. Currently showing same
>> package versions
>> <https://packages.ubuntu.com/search?keywords=freeipa& >searchon=names&suite=bionic& section=all
>> 4.4.4 as Artful
>>
>> Most of them required some cajoling during install or upgrade due
>> to broken installer components (like directories not being created
>> in one case, /etc/pki/pki.version confusing postinstall in
>> another), but most of these behaviours were captured as bugs too.
>> It feels very close to being something that can be reliably
>> deployed, so I don't think it needs a huge amount more TLC to make
>> it more of a pleasure to install ;)
>>
>> Cheers,
>>
>> David
>>
>> On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users
>> <freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org >> wrote:
>>
>> On 23/11/17 05:34, David Harvey via FreeIPA-users wrote:
>> > Not sure why tomcat is more resilient when launched as root,
>> but the
>> > pki seems to work ok at issuing certs after the above and a
>> reboot for
>> > good measure.
>>
>> This sounds like there are broken permissions in the current
>> Ubuntu
>> packages. You should be aware that last time I checked,
>> FreeIPA on
>> Ubuntu was subtly yet severely broken, mostly due to the NSS libs
>> missing PEM support, which will stop your CA from renewing,
>> amongst
>> other things.
>>
>> Does anyone know what the state of packaging for deb distros is
>> currently? Now that the OpenSSL migration is complete(?), the
>> barriers
>> to functional packages should be removed, but it looks like
>> that only
>> happened in 4.5, and it appears only 4.4 is packaged, which is
>> likely
>> still broken?
>> _______________________________________________
>> FreeIPA-users mailing list --
>> freeipa-users@lists.fedorahosted.org
>> <mailto:freeipa-users@lists.fedorahosted.org >
>> To unsubscribe send an email to
>> freeipa-users-leave@lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org >
>>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> <mailto:freeopendnssecipa-users@lists.fedorahosted.org >
>> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>> <mailto:freeipa-users-leave@lists.fedorahosted.org >
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org >
> To unsubscribe send an email to
> freeipa-users-leave@lists.fedorahosted.org
> <mailto:freeipa-users-leave@lists.fedorahosted.org >
>
>
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
>