Hello! I have ipa 4.6.4-10, and my certmonger do not update ipa-ca-agent cert.
Subject DN: CN=ipa-ca-agent, O=<my realm>
How I can update it? I have few week before my certificate expire. I can't find documentation about it.
I found this link but not sure what it resolving my problem. https://www.freeipa.org/page/CVE-2015-5284
I found this link but not sure what it resolving my problem. https://www.freeipa.org/page/CVE-2015-5284
N N via FreeIPA-users wrote:
I found this link but not sure what it resolving my problem. https://www.freeipa.org/page/CVE-2015-5284
It is unrelated.
What is it you're using the ipa-ca-agent certificate for? It is not normally used in an IPA installation.
rob
Hello! Thanks for your reply. I am new to FreeIPA and I'm afraid that I will have certificate problems. This is why I added simple monitoring like this: GSS_USE_PROXY=yes /usr/bin/ipa cert-find --validnotafter-to=`date -d" +30 days "+ % F`
All certificates have been updated and I see new certificates in GSS_USE_PROXY = yes / usr / bin / ipa cert-find
But the certificate with the Subject theme: CN = ipa-ca-agent, O = <realm> is not renewed, and I found this link https://www.redhat.com/archives/freeipa-users/2016-August/msg00332.html If my opinion is correct, then this link describes the method of manually updating the certificate https://www.freeipa.org/page/CVE-2015-5284
I can’t understand how this certificate is used now, so it’s hard for me to evaluate the consequences of a future problem.
N N via FreeIPA-users wrote:
Hello! Thanks for your reply. I am new to FreeIPA and I'm afraid that I will have certificate problems. This is why I added simple monitoring like this: GSS_USE_PROXY=yes /usr/bin/ipa cert-find --validnotafter-to=`date -d" +30 days "+ % F`
All certificates have been updated and I see new certificates in GSS_USE_PROXY = yes / usr / bin / ipa cert-find
But the certificate with the Subject theme: CN = ipa-ca-agent, O = <realm> is not renewed, and I found this link https://www.redhat.com/archives/freeipa-users/2016-August/msg00332.html If my opinion is correct, then this link describes the method of manually updating the certificate https://www.freeipa.org/page/CVE-2015-5284
This is unrelated.
I can’t understand how this certificate is used now, so it’s hard for me to evaluate the consequences of a future problem.
As I said, this certificate is not used. It is automatically generated by the CA during installation but not used by IPA.
rob
freeipa-users@lists.fedorahosted.org