Dear Mailing List,
we are running a freeipa installation using two ipa master servers. Neither the
dns feature nor the CA feature are being used.
VERSION: 4.6.8, API_VERSION: 2.237
Both ipa servers have ssl/tls certs associated with them that are signed by an
external CA.
Since these certs expire after 12 month, I had to install new certificates
multiple times, and I have been doing that using
ipa-server-certinstall -w -d ipa1.p12
This usually works. as in, the new cert shows up in the IPA web ui and the ipa
tools (at least some of which work via the https interface) also continue to
work.
However, I just noticed that the certificates being displayed for the ipa
servers both in ipa service-find and in the IPA web UI are old certs that are
long expired (in 2021).
So my question is
a) Why is this the case, isn't ipa-serrver-certinstall supposed to take care of
it?
b) Why is it still working like that?
c) Why are the certs that are actually used for the web interface not visible
anywhere, or where are they?
Do I maybe need to use the option -k (for kdc) too when doing
ipa-server-certinstall?
If so, can I fix it now by just re-running with that option?
Are there risks in doing so?
My understanding if FreeIPA is spotty I have to say as there are multiple
complex technologies put together (kerberos, ldap, ...).
Many thanks for any help,
Thomas
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
