[Freeipa-devel] CA-less installs: passive certmonger - watch-and-warn mode
Petr Spacek
pspacek at redhat.com
Tue Sep 27 14:03:50 UTC 2016
On 18.7.2016 08:22, Jan Cholasta wrote:
> On 8.7.2016 15:59, Rob Crittenden wrote:
>> Petr Spacek wrote:
>>> On 8.7.2016 15:31, Rob Crittenden wrote:
>>>> Petr Spacek wrote:
>>>>> Hi,
>>>>>
>>>>> our docs
>>>>>
>>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/install-server.html#install-determine-ca
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> claim this:
>>>>> "The certmonger service is not used to track certificates.
>>>>> Therefore, it does
>>>>> not warn you of impending certificate expiration."
>>>>>
>>>>> Is this correct?
>>>>>
>>>>> Can we at least configure certmonger to passively track the
>>>>> certificates and
>>>>> throw warning about impending expiration into logs?
>
> +1, I have already suggested we do this several times.
>
>>>>>
>>>>
>>>> Throw a warning where? Register an e-mail address as part of the
>>>> tracking
>>>> perhaps?
>>>>
>>>> It would probably be fairly easy to write a "CA" that sends an
>>>> e-mail. The
>>>> trick, and this has always tripped us up, is having an MTA configured.
>>>
>>> I would start with logs, as I wrote in the original message. This will
>>> naturally evolve into something else when we finally get
>>> user-configurable hooks.
>>>
>>> In any case, having certmonger configured to track the certs is
>>> prerequisite
>>> for all cases...
>>
>> "Logs" is not very specific, do you mean syslog/journal?
>>
>> Feel free to open an RFE against certmonger with your proposal. I
>> suspect that anything logged will just get lost in most cases.
Finally, here is the ticket:
https://fedorahosted.org/certmonger/ticket/59
> For IPA CA certificate, we log warnings to syslog with ALERT level. I think
> doing that for other certs would be good enough for starters.
--
Petr^2 Spacek
More information about the Freeipa-devel
mailing list