To help prevent issues with failed auto-renewal of certificates due to them not being tracked by certmonger, create a banner to be displayed at the top of the UI at login, alerting the admin that subsystem certificates are not being tracked by certmonger.
Do we really have cases when certificates are untracked? Do we know how it happened? This is a situation which should not happen or should be fixed automatically.
And if it happens then a root cause needs to be investigated and fixed to prevent future cases.
Metadata Update from @pvoborni: - Custom field rhbz adjusted to todo - Issue set to the milestone: FreeIPA 4.7 - Issue tagged with: rfe, webui
We do actually have untracked certificates for CA-less setup but I don't think we can have any way to actually display information about them without involving oddjobd-based helpers to query a specific databases about this information. At this point it becomes too much.
We also would have users' or services' certificates in the user or service entries. Expiration status of these can trivially be shown when visiting a specific user or service entry. Yes, this is not a global view for admins but in case you have thousands or millions of certificates this approach is the only one that is reasonable for Web UI. The rest (reports) should be generatable offline and statically hosted for admin's review separate from normal Web UI flow.
I think that in some way we could use the new tool we're building [1] [2] to have these notifications and alerts.
[1] https://www.redhat.com/archives/freeipa-devel/2017-April/msg00132.html [2] https://github.com/felipevolpone/freeipa-health-checker
Metadata Update from @rcritten: - Issue set to the milestone: FreeIPA 4.7.1 (was: FreeIPA 4.7)
FreeIPA 4.7 has been released, moving to FreeIPA 4.7.1 milestone
Metadata Update from @rcritten: - Issue tagged with: healthcheck
Login to comment on this ticket.