freeipa

Clone
Source Code
GIT

#9285 ipa-certupdate restarts HTTPd too early
Closed: fixed 2 years ago by frenaud. Opened 2 years ago by cheimes.

Closed: fixed
Reopen Issue

Issue

The issue is similar to #9269. Apache is configured to use /etc/ipa/ca.crt to provide CA certs for client cert authentication. The ipa-certupdate script restarts Apache HTTPd before it updates /etc/ipa/ca.crt. Therefore Apache does not recognize any new CA cert until it is restarted a second time.

Version/Release/Distribution

ipa-server-4.10.0-6.el9.x86_64
ipa-client-4.10.0-6.el9.x86_64
389-ds-base-2.1.3-4.el9_1.x86_64
package pki-ca is not installed
krb5-server-1.19.1-22.el9.x86_64

Metadata Update from @cheimes:
- Assignee reset
2 years ago

Fix: Move restart after update_client(certs).

Metadata Update from @cheimes:
- Custom field on_review adjusted to https://github.com/freeipa/freeipa/pull/6573
- Issue assigned to cheimes
2 years ago

master:

  • bb74832 ipa-certupdate: Update client certs before KDC/HTTPd restart

ipa-4-9:

  • f3052c1 ipa-certupdate: Update client certs before KDC/HTTPd restart

ipa-4-10:

  • 8e7d1ac ipa-certupdate: Update client certs before KDC/HTTPd restart

Metadata Update from @frenaud:
- Issue close_status updated to: fixed
- Issue status updated to: Closed (was: Open)
2 years ago

Log in to comment on this ticket.

Metadata
None
None
None
None
None
None
None
None
None
None
None
None
None
https://github.com/freeipa/freeipa/pull/6573
None
None
None
None
None
None
None
None
Powered by Pagure 5.14.1
DocumentationFile an IssueAboutSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.