Hi Flo, On 12/12/17 3:59 PM, Harald Dunkel via FreeIPA-users wrote:
My concern is, it looks much more restricted than the old root CA cerificate: # certutil -L -d /var/lib/pki/pki-tomcat/ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u CN=example Root CA,OU=example Certificate Authority,O=example AG,C=DE CT,C,C CN=root-CA,OU=example Certificate Authority,O=example AG,C=DE C,, Shouldn't it be "CT,C,C" as well?
: :
ipa-cert-update said # ipa-certupdate trying https://ipa1.example.de/ipa/json [try 1]: Forwarding 'schema' to json server 'https://ipa1.example.de/ipa/json' trying https://ipa1.example.de/ipa/json [try 1]: Forwarding 'ca_is_enabled' to json server 'https://ipa1.example.de/ipa/json' [try 1]: Forwarding 'ca_find/1' to json server 'https://ipa1.example.de/ipa/json' Systemwide CA database updated. Systemwide CA database updated. The ipa-certupdate command was successful dmesg shows that there was a core dump: [108604.869633] ns-slapd[23051]: segfault at 10 ip 00007fb60841dc30 sp 00007fb60af56c88 error 4 in libpthread-2.17.so[7fb608414000+17000] Problem: The certificate in /etc/ipa/ca.crt and /usr/share/ipa/html/\ ca.crt is still old. The files have been touched, but not replaced by the new certificate.
AFAICT this is not as documented. Would you suggest to file a bug report? Regards Harri _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
