Bug 2162677
| Summary: | RFE: Implement support for PKI certificate and request pruning | ||
|---|---|---|---|
| Product: | Red Hat Enterprise Linux 9 | Reporter: | Rob Crittenden <rcritten> |
| Component: | ipa | Assignee: | Rob Crittenden <rcritten> |
| Status: | CLOSED ERRATA | QA Contact: | Mohammad Rizwan <myusuf> |
| Severity: | unspecified | Docs Contact: | David Voženílek <dvozenil> |
| Priority: | unspecified | ||
| Version: | 9.0 | CC: | frenaud, gfialova, gkaihoro, jsvarova, pasik, rcritten, sumenon, tscherf |
| Target Milestone: | beta | Keywords: | FutureFeature, Triaged |
| Target Release: | --- | Flags: | pm-rhel:
mirror+
|
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | ipa-4.10.1-4.el9 | Doc Type: | Enhancement |
| Doc Text: |
.ACME supports automatically removing expired certificates as a Technology Preview
The Automated Certificate Management Environment (ACME) service in Identity Management (IdM) adds an automatic mechanism to purge expired certificates from the certificate authority (CA) as a Technology Preview. As a result, ACME can now automatically remove expired certificates at specified intervals.
Removing expired certificates is disabled by default. To enable it, enter:
With this enhancement, ACME can now automatically remove expired certificates at specified intervals.
Removing expired certificates is disabled by default. To enable it, enter:
----
# ipa-acme-manage pruning --enable --cron "0 0 1 * *"
----
This removes expired certificates on the first day of every month at midnight.
NOTE: Expired certificates are removed after their retention period. By default, this is 30 days after expiry.
For more details, see the `ipa-acme-manage(1)` man page.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2023-05-09 07:33:20 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Rob Crittenden
2023-01-20 13:20:45 UTC
Upstream design PR https://github.com/freeipa/freeipa/pull/6600 Design PR master: https://pagure.io/freeipa/c/5d9f59038db8c8b133f3d75ce7d98324daf5b403 Design PR ipa-4-10: https://pagure.io/freeipa/c/51b1c22d025bf40e9ef488bb0faf0c8dff303ccd Fixed upstream master: https://pagure.io/freeipa/c/78298fd4e18f45f77691914ef7b406aa08fc7776 https://pagure.io/freeipa/c/7d1d91fc86c49fcaaec05c772add13af36fc0209 Fixed upstream ipa-4-10: https://pagure.io/freeipa/c/9246a8a003b2b0062e07c289cd7cde8fe902b16f https://pagure.io/freeipa/c/f10d1a0f84ed0f16ab4a1469f16ffadb3e79e59e Additional commit for a test fix: master: https://pagure.io/freeipa/c/414b5fe3520e5e733f26fa1e55bee8501598e261 ipa-4-10: https://pagure.io/freeipa/c/d24b69981d94fce7b1e1aa4a5c1ab88a123f96b5 Fix for the test: master: https://pagure.io/freeipa/c/e76b219c21d53b6bccce4ea3d18e2b61ac835e1f ipa-4-10: https://pagure.io/freeipa/c/e7c642bafcead5ce344f3b129d916045b00d0c1e version:
ipa-server-4.10.1-5.el9.x86_64
machine='x86_64')
2023-02-23T13:47:10 euid: 0, egid: 0
2023-02-23T13:47:10 working dir: /tmp/wp/freeipa
2023-02-23T13:47:10 sys.version: 3.9.16 (main, Dec 8 2022, 00:00:00)
2023-02-23T13:47:10 [GCC 11.3.1 20221121 (Red Hat 11.3.1-4)]
2023-02-23T13:47:10 ============================= test session starts ==============================
2023-02-23T13:47:10 platform linux -- Python 3.9.16, pytest-3.10.1, py-1.10.0, pluggy-0.13.1 -- /usr/bin/python3
2023-02-23T13:47:10 cachedir: .pytest_cache
2023-02-23T13:47:10 metadata: {'Python': '3.9.16', 'Platform': 'Linux-5.14.0-277.el9.x86_64-x86_64-with-glibc2.34', 'Packages': {'pytest': '3.10.1', 'pluggy': '0.13.1'}, 'Plugins': {'metadata': '2.0.4', 'html': '1.22.1', 'multihost': '3.0', 'sourceorder': '0.6.0'}}
2023-02-23T13:47:10 rootdir: /tmp/wp/freeipa, inifile: tox.ini
2023-02-23T13:47:10 plugins: metadata-2.0.4, html-1.22.1, multihost-3.0, sourceorder-0.6.0
2023-02-23T13:47:12 collecting ... collected 9 items
2023-02-23T13:47:12
2023-02-23T13:56:58 ipatests/test_integration/test_acme.py::TestACMEPrune::test_enable_pruning PASSED [ 11%]
2023-02-23T13:57:21 ipatests/test_integration/test_acme.py::TestACMEPrune::test_pruning_options PASSED [ 22%]
2023-02-23T13:57:28 ipatests/test_integration/test_acme.py::TestACMEPrune::test_pruning_negative_options PASSED [ 33%]
2023-02-23T13:59:18 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_manual PASSED [ 44%]
2023-02-23T14:05:37 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_cron PASSED [ 55%]
2023-02-23T14:11:53 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_retention_unit PASSED [ 66%]
2023-02-23T14:13:41 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_cert_search_size_limit PASSED [ 77%]
2023-02-23T14:14:27 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_config_show PASSED [ 88%]
2023-02-23T14:15:41 ipatests/test_integration/test_acme.py::TestACMEPrune::test_prune_disable PASSED [100%]
2023-02-23T14:15:41
2023-02-23T14:15:41 ------------------ generated xml file: /tmp/wp/twd/junit.xml -------------------
2023-02-23T14:15:41 ------------- generated html file: file:///tmp/wp/twd/report.html --------------
2023-02-23T14:15:41 ========================= 9 passed in 1711.74 seconds ==========================
Automation passed, hence marking the bug as verified.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (ipa bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2023:2205 |