Dear Mailing List,
we are running a freeipa installation using two ipa master servers. Neither the dns feature nor the CA feature are being used. VERSION: 4.6.8, API_VERSION: 2.237
Both ipa servers have ssl/tls certs associated with them that are signed by an external CA.
Since these certs expire after 12 month, I had to install new certificates multiple times, and I have been doing that using
ipa-server-certinstall -w -d ipa1.p12
This usually works. as in, the new cert shows up in the IPA web ui and the ipa tools (at least some of which work via the https interface) also continue to work.
However, I just noticed that the certificates being displayed for the ipa servers both in ipa service-find and in the IPA web UI are old certs that are long expired (in 2021).
So my question is
a) Why is this the case, isn't ipa-serrver-certinstall supposed to take care of it? b) Why is it still working like that? c) Why are the certs that are actually used for the web interface not visible anywhere, or where are they?
Do I maybe need to use the option -k (for kdc) too when doing ipa-server-certinstall? If so, can I fix it now by just re-running with that option? Are there risks in doing so?
My understanding if FreeIPA is spotty I have to say as there are multiple complex technologies put together (kerberos, ldap, ...).
Many thanks for any help,
Thomas
Hi,
On Thu, Jul 4, 2024 at 10:18 AM Thomas Boroske via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Dear Mailing List,
we are running a freeipa installation using two ipa master servers. Neither the dns feature nor the CA feature are being used. VERSION: 4.6.8, API_VERSION: 2.237
Both ipa servers have ssl/tls certs associated with them that are signed by an external CA.
Since these certs expire after 12 month, I had to install new certificates multiple times, and I have been doing that using
ipa-server-certinstall -w -d ipa1.p12
This usually works. as in, the new cert shows up in the IPA web ui and the ipa tools (at least some of which work via the https interface) also continue to work.
However, I just noticed that the certificates being displayed for the ipa servers both in ipa service-find and in the IPA web UI are old certs that are long expired (in 2021).
So my question is
a) Why is this the case, isn't ipa-serrver-certinstall supposed to take care of it?
This is a known issue, reported at #9417 https://pagure.io/freeipa/issue/9417 ipa-server-certinstall does not update service entries in LDAP Work started at https://github.com/freeipa/freeipa/pull/6920 but other tasks with higher priority came in and delayed the fix.
flo
b) Why is it still working like that?
c) Why are the certs that are actually used for the web interface not visible anywhere, or where are they?
Do I maybe need to use the option -k (for kdc) too when doing ipa-server-certinstall? If so, can I fix it now by just re-running with that option? Are there risks in doing so?
My understanding if FreeIPA is spotty I have to say as there are multiple complex technologies put together (kerberos, ldap, ...).
Many thanks for any help,
Thomas
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
freeipa-users@lists.fedorahosted.org