Bob Strachan via FreeIPA-users wrote:
Rob and Jochen,
Thank you both for your speedy reply.
My IDM system seems to be working fine. I can issue certs. My concern is with the two
CS.cfg files, as I have no idea what they are for. I don't know if the csr blobs in
CS.cfg are necessary or if they need to be in sync with the cert blobs I manually updated.
A CSR is a Certificate Signing Request. You don't want or need to touch
these.
After reading Jochen's notes, and my experience, I am guessing that the renewal
master updates the .../kra/conf/CS.cfg but not the kra CS.cfg files on the other replicas.
I am also guessing that my renewal server was a fresh install and it hit the bug:
https://bugzilla.redhat.com/show_bug.cgi?id=1871188
Each subsystem (kra, ca) has only one CS.cfg. This is the subsystem
configuration file which defines how it works.
So I am still wondering, what are the CS.cfg files for???? I
I would guess that they might be called when using ipa-cert-fix, but I am not skilled
enough to unpack what ipa-cert-fix does. If the CS.cfg files are full deprecated on a
Rhel 8.6 replicated IDM system, then I would like to know, so I can relax.
CS.cfg is a configuration file for each subsystem. It is definitely not
deprecated.
Whether certain values within the file are important is another matter.
It is unclear how important the cert blobs are but we try to keep them
up to date for neatness. Except for KRA which I totally missed doing. It
does not appear to result in any problems though, beyond healthcheck
mentioning it.
Healthcheck is not an end-all-be-all grade of IPA health. It is a set of
common things that cause problems that we can easily check on and
report. There may be things missing and there may be false positives.
The point is to keep admins watching for issues before they become major
problems.
As for advancing the certmonger configuration, It appears that my certs should get
renewed in 7 days. As such, I will just wait for the 7 days and see if the renewal works.
I have no expectation that the kra CS.cfg file will get updated.
I can almost guarantee it won't because the issue Jochen filed hasn't
been addressed yet.
rob