On Thu, May 25, 2017 at 01:34:16AM -0400, Rob Foehl via FreeIPA-users wrote:
I've got a test instance of FreeIPA 4.4.4 running on F25 that was
with --external-ca, and the resulting CSR signed with a validity period of
30 days to test behavior around expirations.
Upon booting that instance today, certmonger decided to preemptively renew
every IPA cert -- which is a good thing -- but did so without waiting for
renewal of the IPA CA cert first, which is less good. Now that instance has
a pile of certs that expire in two weeks, since they were signed with and
thus tied to the expiration of the old IPA CA cert.
This is not correct. The CA cert must be valid for the leaf cert to
be valid, but the CA cert *can* be renewed without requiring leaf
certificates to be reissued. So long as the following conditions
are met, everything will be fine:
1. The CA's key (and Subject Key Identifier) do not change
2. The CA's Subject DN does not change
3. The new CA certificate gets distributed to clients.
> While I'm guessing certmonger will figure this out and do the right thing
> within a couple weeks -- and with the expectation that this would only
> happen once per IPA CA renewal with a "real" deployment -- is this the
> intended behavior?
> Logs are a bit of a mess between this and a potentially-resolved SELinux
> issue with certmonger, but I'll wedge them all into a proper bug report if
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org