[Freeipa-users] another certmonger question
Rob Crittenden
rcritten at redhat.com
Tue Oct 4 19:24:02 UTC 2016
Natxo Asenjo wrote:
> hi,
>
> On Mon, Oct 3, 2016 at 5:32 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>
> usercertificate is a multi-valued LDAP attribute but IPA 3.0 only
> really operates on the "first" value returned (I didn't look at more
> recent versions). In this case it is the 267976717 cert. The other
> certs shown without details are for the other serial numbers that
> cert-find is reporting
>
> I can't see a way that this first usercertificate value isn't
> revoked and removed upon renewal so I can't quite figure out how you
> got into this state (and so easily as I understand it). I wasn't
> able to reproduce it myself. Do you have any idea how wide-spread
> this is in your infrastructure?
>
> I can see that once in this state that any "extra" certs would just
> be stuck there, never to be revoked.
>
>
> This is happening all over the place.
>
> I guess I will have to script this: retrieve the usercertificate
> attribute of the host computers, get their 'not before/not after' and
> serial number values, and revoke the oldest valid ones in case there is
> more than one valid one. This should not be very hard.
>
>
> I need to monitor the certmonger status as well, a nagios plugin should
> do the trick.
>
You may want to open a bug against RHEL 6 on this as well.
rob
More information about the Freeipa-users
mailing list