[Freeipa-devel] Expired certs and certmonger in FreeIPA

[Simo Sorce]

So my personal home installation is now more than 6 months old.
How do I know that ? I know because originally we had a 6 months
expiration period in SSL cert profiles and that was the exp. period of
all my certs.

So coming home I got a new laptop for my wife and I wanted to put it in
the FreeIPA domain. I kinit as admin on the server and try to run an ipa
commend, and I get back an error that certs are expired :-(

So, knowing certmonger should run I try to check that certmonger is a
live, it isn't and messagebus isn't either. (This is an F15 issue so
only relevant for the following behavior).

Ok I start messagebus and certmonger and then issue a getcert list ..
and it says the certs will expire in 2013 ... uhmm strange I think.

Ok issue the ipa command again, and no luck, it still complains that
certs are expired.

So as a last attempt, before trying to manually issue new certs I just
issue a service httpd restart ... and now the ipa command works again.

So appaerently this means apache is not able to find out it has new
certs available, even after the certs it is currently using are expired.

The question is: should we try to fix apache to be able to reread the
cert store ? Or should we add to certmonger the ability to restart
services when it renews certs ? Or when the previous ones finally
expire ?

I'd say the former but it might be a lot more difficult than the second.

Thoughts ?

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York