Ian Pilcher via FreeIPA-users wrote: > Should I be worried? > > During a recent Fedora update, the following message was displayed: > > No CA with name "certmaster" found. > > Now I'm seeing the following in the journal: > > Certificate "Local Signing Authority 2" no longer valid. > Certificate "Local Signing Authority 3" no longer valid. > Certificate "Local Signing Authority 4" no longer valid. > > Nothing seems to be broken now, but I know what I nightmare it can be to > fix things if internal certificates expire. > > 'getcert list-cas -v' returns this: > > CA 'SelfSign': > self-identifies as: SelfSign (certmonger 0.79.21) > is-default: no > ca-type: INTERNAL:SELF > next-serial-number: 01 > config-path: /var/lib/certmonger/cas/20230722162344 > CA 'IPA': > self-identifies as: IPA (certmonger 0.79.21) > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/ipa-server-guard > /usr/libexec/certmonger/ipa-submit > config-path: /var/lib/certmonger/cas/20230722162344-1 > CA 'dogtag-ipa-renew-agent': > self-identifies as: Dogtag (IPA,renew,agent) (certmonger 0.79.21) > is-default: no > ca-type: EXTERNAL > helper-location: > /usr/libexec/certmonger/dogtag-ipa-renew-agent-submit > config-path: /var/lib/certmonger/cas/20230722162344-2 > CA 'local': > self-identifies as: Local Signing Authority (certmonger 0.79.21) > is-default: no > ca-type: EXTERNAL > helper-location: /usr/libexec/certmonger/local-submit > config-path: /var/lib/certmonger/cas/20230722162344-3 > CA 'dogtag-ipa-ca-renew-agent': > self-identifies as: Dogtag (certmonger 0.79.17) > is-default: no > ca-type: EXTERNAL > helper-location: > /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit > config-path: /var/lib/certmonger/cas/20230722162345 > CA 'dogtag-ipa-ca-renew-agent-reuse': > is-default: no > ca-type: EXTERNAL > helper-location: > /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit --reuse-existing > config-path: /var/lib/certmonger/cas/20250623162420 > CA 'dogtag-ipa-ca-renew-agent-selfsigned': > is-default: no > ca-type: EXTERNAL > helper-location: > /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit > --force-self-signed > config-path: /var/lib/certmonger/cas/20250623162420-1 > > I see that the 'local' CA self-identifies as "Local Signing Authority", > but I don't see Local Signing Authority 2, 3, or 4 listed. >
The "local" CA is a minimalist, weak RSA authority that can blindly sign requests. It is not used by IPA. It can be handy for quick single-box testing but I don't recommend it for production use. The CA certificate is generated automatically by certmonger and is only valid for a year. It auto-renews so looks like yours has done so 3 times, plus the initial issuance. So there should be nothing to worry about as long as you aren't using the local CA for anything, and it's doubtful you are. regards rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
