On ke, 11 maalis 2020, Rob Crittenden wrote:
> Alexander Bokovoy wrote:
>> On ke, 11 maalis 2020, Fraser Tweedale via FreeIPA-users wrote:
>>>> Makes me look at this a different way. Perhaps change the certstore to
>>>> only return valid CA certs. That way they are stored if anyone ever
>>>> wants them but they won't get pulled down for ipa-certupdate or
>>>> ipaclilent-install.
>>>>
>>>> Or to try the ipa-cacert-manage route, it was mostly the UI part
>>>> for why
>>>> I didn't do it. I wasn't sure if the best way would be to
>>>> interactively
>>>> show each cert and do a delete Y/N or what. Perhaps a delete with
>>>> --expired-only to do the cleanup. I'm open to suggestions.
>>>>
>>>> rob
>>>>
>>>
>>> I think it's fine to change ipa-certupdate so it skips expired /
>>> not-yet-valid certs.
>>>
>>> IMO we should never automatically prune expired certs from the LDAP
>>> trust store, so that if customer needs to do time travel to fix an
>>> issue, the old CA certs will still be there and an ipa-certupdate
>>> will "restore" them to the various certificate DBs.
>>>
>>> And for the same reason, I'd be hesitant to offer a UI to prune
>>> expired certs from the trust store.
>>
>> I agree. So, we still need a ticket for ipa-certupdate to gain an
>> explicit option to ignore expired certs.
>>
>>
>
> IMHO it should be the default for certstore.get_ca_certs(). I opened
>
https://pagure.io/freeipa/issue/8223
>
> I don't know of a case where we would want to fetch non-valid CA
> certificates, please update the ticket if you know of any.
Valid from which point of view? A system we run on? E.g. based on the
local time setup?
Correct, local time.
Francois updated the issue to indicate that the expired CA first causes
issues. I wonder if we should test sorting by expiration date instead.
rob