[Freeipa-users] certmonger errors during upgrade

[Ian Pilcher via FreeIPA-users]

Should I be worried?

During a recent Fedora update, the following message was displayed:
 No CA with name "certmaster" found.

Now I'm seeing the following in the journal:

 Certificate "Local Signing Authority 2" no longer valid.
 Certificate "Local Signing Authority 3" no longer valid.
 Certificate "Local Signing Authority 4" no longer valid.

Nothing seems to be broken now, but I know what I nightmare it can be to
fix things if internal certificates expire.

'getcert list-cas -v' returns this:

 CA 'SelfSign':
         self-identifies as: SelfSign (certmonger 0.79.21)
         is-default: no
         ca-type: INTERNAL:SELF
         next-serial-number: 01
         config-path: /var/lib/certmonger/cas/20230722162344
 CA 'IPA':
         self-identifies as: IPA (certmonger 0.79.21)
         is-default: no
         ca-type: EXTERNAL
         helper-location: /usr/libexec/certmonger/ipa-server-guard 
/usr/libexec/certmonger/ipa-submit
         config-path: /var/lib/certmonger/cas/20230722162344-1
 CA 'dogtag-ipa-renew-agent':
         self-identifies as: Dogtag (IPA,renew,agent) (certmonger 0.79.21)
         is-default: no
         ca-type: EXTERNAL
         helper-location: 
/usr/libexec/certmonger/dogtag-ipa-renew-agent-submit
         config-path: /var/lib/certmonger/cas/20230722162344-2
 CA 'local':
         self-identifies as: Local Signing Authority (certmonger 0.79.21)
         is-default: no
         ca-type: EXTERNAL
         helper-location: /usr/libexec/certmonger/local-submit
         config-path: /var/lib/certmonger/cas/20230722162344-3
 CA 'dogtag-ipa-ca-renew-agent':
         self-identifies as: Dogtag (certmonger 0.79.17)
         is-default: no
         ca-type: EXTERNAL
         helper-location: 
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
         config-path: /var/lib/certmonger/cas/20230722162345
 CA 'dogtag-ipa-ca-renew-agent-reuse':
         is-default: no
         ca-type: EXTERNAL
         helper-location: 
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing
         config-path: /var/lib/certmonger/cas/20250623162420
 CA 'dogtag-ipa-ca-renew-agent-selfsigned':
         is-default: no
         ca-type: EXTERNAL
         helper-location: 
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --force-self-signed
         config-path: /var/lib/certmonger/cas/20250623162420-1

I see that the 'local' CA self-identifies as "Local Signing Authority",
but I don't see Local Signing Authority 2, 3, or 4 listed.

--
========================================================================
If your user interface is intuitive in retrospect ... it isn't intuitive
========================================================================

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue