On Wed, Mar 11, 2020 at 9:12 AM Fraser Tweedale via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote: > > On Wed, Mar 11, 2020 at 09:26:54AM +0200, Alexander Bokovoy wrote: > > On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote: > > > > Makes me look at this a different way. Perhaps change the certstore to > > > > only return valid CA certs. That way they are stored if anyone ever > > > > wants them but they won't get pulled down for ipa-certupdate or > > > > ipaclilent-install. > > > > > > > > Or to try the ipa-cacert-manage route, it was mostly the UI part for why > > > > I didn't do it. I wasn't sure if the best way would be to interactively > > > > show each cert and do a delete Y/N or what. Perhaps a delete with > > > > --expired-only to do the cleanup. I'm open to suggestions. > > > > > > > > rob > > > > > > > > > > I think it's fine to change ipa-certupdate so it skips expired / > > > not-yet-valid certs. > > > > > > IMO we should never automatically prune expired certs from the LDAP > > > trust store, so that if customer needs to do time travel to fix an > > > issue, the old CA certs will still be there and an ipa-certupdate > > > will "restore" them to the various certificate DBs. > > > > > > And for the same reason, I'd be hesitant to offer a UI to prune > > > expired certs from the trust store. > > > > I agree. So, we still need a ticket for ipa-certupdate to gain an > > explicit option to ignore expired certs. > > > I think we can ignore (i.e. not install) expired certs by default. > And maybe have option to install all certs even if expired.
Yes. While the current behavior does not lead to any malfunctioning service, various useful tools cease to function when the first cert in ca.crt is expired. > What would customers expect? It is not the first time a customer > was surprised to see expired certs there and asked about it. My guess: not having the tools above fail in the first place. Cheers François > Cheers, > Fraser > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
