If there are KRAs, ensure the renewal server is one

freeipa / freeipa-healthcheck

Check the health of a freeIPA installation

GNU General Public License v3.0

50 stars 28 forks source link

If there are KRAs, ensure the renewal server is one #290

Closed rcritten closed 1 year ago

rcritten commented 1 year ago

If there are KRAs in the topology and there isn't one on the renewal server then the KRA certificates will not be renewed because they expect another server to do it for them.

Fixes: https://github.com/freeipa/freeipa-healthcheck/issues/125

rcritten commented 1 year ago

Any reason to not rely on this info?

No, I totally missed this. Dropped the search as it is much simpler code.

flo-renaud commented 1 year ago

Thanks for the update, LGTM. I tested the same scenario as the pytest:

host is not renewal master
host is renewal master, no KRA at all
host is renewal master, there is a KRA but not on this host
host is renewal master and has KRA