Ok, thanks for the clarification. Hopefully can still mitigate by changing platform or waiting for a better supported Ubuntu release!
On 1 Dec 2017 18:40, "Rob Crittenden" <rcrit...@redhat.com> wrote: > David Harvey via FreeIPA-users wrote: > > Well that sounds fun :) > > I'm hesistent to crosspost to pkg-freeipa-de...@lists.alioth.debian.org > > <mailto:pkg-freeipa-de...@lists.alioth.debian.org> to ask after > > likelihood of seeing 4.5 in 18.04/Bionic but hope someone here might be > > able to comment? > > > > WRT the exploding CA situation. I guess I'll need to get to a more sane > > build, or switch over to a better supported rpm based distro if that's > > not on the cards.. I should be safe in the short term given the standard > > lifetime of an IPA cert I hope!? > > > > I'll continue to try and dig into why pki-tomcat dies on one but not all > > VMs (ca enabled on 2 of them) > > The risk you have isn't with the CA itself expiring but with the support > certificates (OCSP, audit, subsystem, etc). Those have a 2-year validity > period. > > rob > > > > > On 1 December 2017 at 13:53, Peter Fern via FreeIPA-users > > <freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > > > > Without installing a system to check, it appears to me that nss-pem > > is still not packaged for Debian/Ubuntu, which means that certmonger > > will break on you when it comes time to auto-renew your CAs. > > > > I found this out the hard way early this year while running FreeIPA > > with CA on Ubuntu, and recovery is very painful once your CA certs > > have expired (actually impossible without compiling nss-pem, which > > requires some source hacking and compiling of libnss to obtain > > static libs). > > > > Since nss-pem is unlikely to be packaged on Debian/-derivs, it looks > > to me like until FreeIPA 4.5+ is packaged (where the conversion to > > OpenSSL has been completed), it is still not safe to run a CA on > Ubuntu. > > > > > > On 01/12/17 23:27, David Harvey via FreeIPA-users wrote: > >> hi Peter, > >> > >> Not a full answer to your questions but from my experience: > >> > >> Xenial: Worked, except OTP functionality > >> Zesty: Worked except for DNS > >> Artful: Seems fully functional and stable on the fresh installed > >> replica, my upgraded from Zesty rig (with the workarounds noted > >> earlier in thread) Still has pki-tomcat bombing fairly frequently. > >> Bionic: I have high hopes for given LTS.. Currently showing same > >> package versions > >> <https://packages.ubuntu.com/search?keywords=freeipa& > searchon=names&suite=bionic§ion=all> > >> 4.4.4 as Artful > >> > >> Most of them required some cajoling during install or upgrade due > >> to broken installer components (like directories not being created > >> in one case, /etc/pki/pki.version confusing postinstall in > >> another), but most of these behaviours were captured as bugs too. > >> It feels very close to being something that can be reliably > >> deployed, so I don't think it needs a huge amount more TLC to make > >> it more of a pleasure to install ;) > >> > >> Cheers, > >> > >> David > >> > >> On 28 November 2017 at 20:58, Peter Fern via FreeIPA-users > >> <freeipa-users@lists.fedorahosted.org > >> <mailto:freeipa-users@lists.fedorahosted.org>> wrote: > >> > >> On 23/11/17 05:34, David Harvey via FreeIPA-users wrote: > >> > Not sure why tomcat is more resilient when launched as root, > >> but the > >> > pki seems to work ok at issuing certs after the above and a > >> reboot for > >> > good measure. > >> > >> This sounds like there are broken permissions in the current > >> Ubuntu > >> packages. You should be aware that last time I checked, > >> FreeIPA on > >> Ubuntu was subtly yet severely broken, mostly due to the NSS > libs > >> missing PEM support, which will stop your CA from renewing, > >> amongst > >> other things. > >> > >> Does anyone know what the state of packaging for deb distros is > >> currently? Now that the OpenSSL migration is complete(?), the > >> barriers > >> to functional packages should be removed, but it looks like > >> that only > >> happened in 4.5, and it appears only 4.4 is packaged, which is > >> likely > >> still broken? > >> _______________________________________________ > >> FreeIPA-users mailing list -- > >> freeipa-users@lists.fedorahosted.org > >> <mailto:freeipa-users@lists.fedorahosted.org> > >> To unsubscribe send an email to > >> freeipa-users-le...@lists.fedorahosted.org > >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > >> > >> > >> > >> > >> _______________________________________________ > >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >> <mailto:freeopendnssecipa-us...@lists.fedorahosted.org> > >> To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > >> <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > <mailto:freeipa-users@lists.fedorahosted.org> > > To unsubscribe send an email to > > freeipa-users-le...@lists.fedorahosted.org > > <mailto:freeipa-users-le...@lists.fedorahosted.org> > > > > > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to freeipa-users-leave@lists. > fedorahosted.org > > > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org