I've got a test instance of FreeIPA 4.4.4 running on F25 that was
installed with --external-ca, and the resulting CSR signed with a validity
period of 30 days to test behavior around expirations.
Upon booting that instance today, certmonger decided to preemptively renew
every IPA cert -- which is a good thing -- but did so without waiting for
renewal of the IPA CA cert first, which is less good. Now that instance
has a pile of certs that expire in two weeks, since they were signed with
and thus tied to the expiration of the old IPA CA cert.
While I'm guessing certmonger will figure this out and do the right thing
within a couple weeks -- and with the expectation that this would only
happen once per IPA CA renewal with a "real" deployment -- is this the
intended behavior?
Logs are a bit of a mess between this and a potentially-resolved SELinux
issue with certmonger, but I'll wedge them all into a proper bug report if
desired.
-Rob