Bug 1830344

Summary: KRA certificates will expire if the CA renewal manager isn't running that service
Product: Red Hat Enterprise Linux 8 Reporter: Rob Crittenden <rcritten>
Component: ipaAssignee: Thomas Woerner <twoerner>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: medium    
Version: 8.2CC: pasik, pcech, rcritten, tscherf
Target Milestone: rcKeywords: Triaged
Target Release: 8.0Flags: pm-rhel: mirror+
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-11-01 07:27:01 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Rob Crittenden 2020-05-01 17:04:11 UTC 
Description of problem:

Problem discovered on RHEL 7.7.

User had a set of IPA masters, some of which run the KRA.

The CA renewal master does not have that role.

The KRA certificates expired and there was no way to renew them.

The suggested workaround was to set one of the KRA masters as the renewal master, renew the certs, force the other KRA masters to pull them in, then restore the original CA renewal master (or leave it).

We may need to require that if a KRA is installed require that one of those masters is the renewal master. Enforcing this could be difficult.
Comment 3 RHEL Program Management 2021-11-01 07:27:01 UTC 
After evaluating this issue, there are no plans to address it further or fix it in an upcoming release.  Therefore, it is being closed.  If plans change such that this issue will be fixed in an upcoming release, then the bug can be reopened.