Hi,
On Wed, Aug 31, 2022 at 12:04 AM IPA Listmail via FreeIPA-users <
freeipa-users(a)lists.fedorahosted.org> wrote:
Nevermind, it appears there may be some minimum amount of time
before
certmonger looks at a cert, and the amount of time is greater than my 10
minutes.
Yes, certmonger can be configured with a different delay. For more
information, refer to the description of enroll_ttls in the man page
certmonger.conf(5).
flo
I'll watch the logs overnight and adjust certificate validity to
be
slightly longer and continue my testing. Sorry for the noise!
On Tue, Aug 30, 2022 at 5:52 PM IPA Listmail <ipalistmail(a)gmail.com>
wrote:
> client: el8
> ipa server: el7
>
> I created a cert via:
> sudo ipa-getcert request -w -v -D <san1> -D <san2> -K
PUPPET/$(hostname
> -f)\
> -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\
> -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem
>
> Everything about the cert _appears_ to be fine. Openssl output looks
> normal and the puppet agent runs fine.
>
> During testing I have radically reduced the certificate validity down to
> 10 minutes. The output of ipa-getcert list is:
>
> Number of certificates and requests being tracked: 1.
> Request ID '20220830202305':
> status: MONITORING
> stuck: no
> key pair storage:
>
type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem'
>
> certificate:
>
type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem'
>
> CA: IPA
> issuer: CN=Certificate
Authority,O=DOMAIN.COM 20220829230619
> subject:
CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM
> 20220829230619
> issued: 2022-08-30 21:29:11 UTC
> expires: 2022-08-30 21:39:11 UTC
> dns: ip-10-0-82-56.eu-west-1.compute.internal
> principal name: host/
> ip-10-0-82-56.eu-west-1.compute.internal(a)DOMAIN.COM
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> However, it never actually updates before (or after) expiration. I have
> tried restarting the service and rebooting. This is happening on two hosts.
> I see no failures in the log or anything in the log after the last resubmit
> command. I have manually used rekey and resubmit. Both worked fine. Using a
> blog post from Fraser, I tried start-tracking with --no-renew, then
> --renew. I looked for errors. The only thing that seem kind of odd to me is
> in /var/lib/certmonger/requests/20220830202305:
> last_need_notify_check=20220830205312
> last_need_enroll_check=20220830205312
>
> _______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue