Went to renew an externally-signed IPA CA certificate that was valid
through today, and discovered that FreeIPA had decided to renew it with a
self-signed cert a month ago, and had since reissued all other subsystem
certs against that self-signed CA. After running through the
ipa-cacert-manage renew dance and ipa-certupdate, the system store now
contains the following certs, in this order:
- old, now-expired IPA CA cert
- old, soon-to-be-expired external CA root cert
- self-signed IPA cert
- new IPA CA cert
- new external CA root cert
There's also a chicken-and-egg problem with trying to renew anything, in
that all new requests are signed with the self-signed IPA CA instead of
the new intermediate IPA CA.
How do I unravel this, and completely purge the self-signed cert from
existence? Why did FreeIPA try to renew the intermediate CA cert on its
own, and why did it succeed?
(This is FreeIPA 4.7.2 on Fedora 29, which I'm stuck with until the CA
chains are sorted out -- upgrading is still a manual replica replacement
process, since ipa-server-upgrade and friends *still* insist on verifying
a CA lifetime of >2 years, inexplicable behavior reported years ago...)
-Rob