Hi, On Wed, Aug 31, 2022 at 12:04 AM IPA Listmail via FreeIPA-users < [email protected]> wrote:
> Nevermind, it appears there may be some minimum amount of time before > certmonger looks at a cert, and the amount of time is greater than my 10 > minutes. > Yes, certmonger can be configured with a different delay. For more information, refer to the description of enroll_ttls in the man page certmonger.conf(5). flo > I'll watch the logs overnight and adjust certificate validity to be > slightly longer and continue my testing. Sorry for the noise! > > On Tue, Aug 30, 2022 at 5:52 PM IPA Listmail <[email protected]> > wrote: > >> client: el8 >> ipa server: el7 >> >> I created a cert via: >> sudo ipa-getcert request -w -v -D <san1> -D <san2> -K PUPPET/$(hostname >> -f)\ >> -k /etc/puppetlabs/puppet/ssl/private_keys/$(hostname -f).pem\ >> -f /etc/puppetlabs/puppet/ssl/certs/$(hostname -f).pem >> >> Everything about the cert _appears_ to be fine. Openssl output looks >> normal and the puppet agent runs fine. >> >> During testing I have radically reduced the certificate validity down to >> 10 minutes. The output of ipa-getcert list is: >> >> Number of certificates and requests being tracked: 1. >> Request ID '20220830202305': >> status: MONITORING >> stuck: no >> key pair storage: >> type=FILE,location='/etc/puppetlabs/puppet/ssl/private_keys/ip-10-0-82-56.eu-west-1.compute.internal.pem' >> >> certificate: >> type=FILE,location='/etc/puppetlabs/puppet/ssl/certs/ip-10-0-82-56.eu-west-1.compute.internal.pem' >> >> CA: IPA >> issuer: CN=Certificate Authority,O=DOMAIN.COM 20220829230619 >> subject: CN=ip-10-0-82-56.eu-west-1.compute.internal,O=DOMAIN.COM >> 20220829230619 >> issued: 2022-08-30 21:29:11 UTC >> expires: 2022-08-30 21:39:11 UTC >> dns: ip-10-0-82-56.eu-west-1.compute.internal >> principal name: host/ >> [email protected] >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> >> However, it never actually updates before (or after) expiration. I have >> tried restarting the service and rebooting. This is happening on two hosts. >> I see no failures in the log or anything in the log after the last resubmit >> command. I have manually used rekey and resubmit. Both worked fine. Using a >> blog post from Fraser, I tried start-tracking with --no-renew, then >> --renew. I looked for errors. The only thing that seem kind of odd to me is >> in /var/lib/certmonger/requests/20220830202305: >> last_need_notify_check=20220830205312 >> last_need_enroll_check=20220830205312 >> >> _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
