Natxo Asenjo wrote:
hi,
after our upgrade from centos 6.8 to 7.2, when I renew a certificate
using ipa-getcert resubmit -i xxxxxx the certificate is properly
renewed, but the info on ipa host-show still shows the old certificate
info. Is this normal?
$ sudo getcert list | grep expires
expires: 2018-09-27 19:46:03 UTC
so that certificate has successfully been renewed, but this is the
host's info:
$ ipa host-show hostname | grep -i after
Not After: Wed Jun 07 14:30:47 2017 UTC
and I see there as well more than one certificate for that host:
$ ipa cert-find --subject=hostname
----------------------
5 certificates matched
----------------------
Serial number (hex): 0xFF90008
Serial number: 267976712
Status: VALID
Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0xFF90009
Serial number: 267976713
Status: VALID
Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0xFF9000A
Serial number: 267976714
Status: VALID
Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0xFFF001D
Serial number: 268369949
Status: REVOKED_EXPIRED
Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
Serial number (hex): 0xFFF0093
Serial number: 268370067
Status: REVOKED
Subject: CN=hostname.unix.iriszorg.nl
<http://hostname.unix.iriszorg.nl>,O=UNIX.IRISZORG.NL
<http://UNIX.IRISZORG.NL>
----------------------------
Number of entries returned 5
----------------------------
And three of them are still valid. As a comparison, another hosts which
was installed about the same time also has 5 certificates, but 4 are
revoked and the expires info of getcert list and of the valid
certificate are the same.
So how do I correct this?
It's hard to say, it may in fact not be a problem.
It is really a matter of what service the certificate(s) are related to.
I'd look at the serial numbers and then correlate those to the issued
certificates.
I'd also do a service-find on the hostname to see if any services have
certificates issued and with what serial numbers.
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project