F41 FreeIPA HSM

More information about the event can be found here: http://fedoraproject.org/wiki/Test_Day:Test_Day:2024-07-09_IPA_HSM
Go back to List of Events.

Results

Clicking on the testcase name will show you the appropriate "how to test" page.
Click on the Enter result button, to enter result.

Note: results are cached and reloaded from the database each 10 seconds.

Basic

Username	Profile	basicIPAwithHSM	IPA server with replica HSM	Comments
		Enter result	Enter result
felipetg	VM using Fedora Rawhide (latest iso available)	^[1]		1. Issue 9623 created
sumenon		^[1] ^[2]		1. Ignore https://pagure.io/freeipa/issue/9622 2. https://pagure.io/freeipa/issue/9622

Key Recovery Authority (KRA)

Username	Profile	IPA with KRA	IPA Server replica with KRA	Comments
		Enter result	Enter result
sumenon	Fedora41	^[1]	^[2]	1. KRA install is successful with the --token-password and --token-name option. ipatoken: storageCert(u,u,u), auditSigningCert(u,u,Pu), transportCert(u,u,u), subsystemCert(u,u,u) are listed using 'certutil -L -d /etc/pki/pki-tomcat/alias -h ipa_token' Vault can be added, data can be archived and retrieved. 2. Installation of Replica prompts 'Enter Password or Pin for "ipa_token": The TOKEN_PASSWORD is already specified in the command. https://pagure.io/freeipa/issue/9603

Certificate Reissue

Username	Profile	Outisde grace period	Within grace period	Comments
		Enter result	Enter result
sumenon	Fedora41	^[1]	^[2] ^[3]	1. IPA certs expire in 2years Current Date: Thu Jul 11 02:44:31 PM IST 2024 Cert Expires: 2026-07-01 14:32:04 IST Modified Time: date -s +1years+11months+20days, Wed Jul 1 02:45:06 PM IST 2026 root@server:~# ipa-cert-fix Becoming renewal master. Restarting IPA The ipa-cert-fix command was successful getcert list \| grep status -- the certificates go through different states and finally in MONITORING state. Certificates (excluding the CA cert) are re-issued correctly when expired. 2. ALL Certs are VALID and in MONTORING State after certmonger renews them. 3. For this test the system date is to be moved within 30 days of expiration to test that certmonger would renew things. Seeing ca-error: Server at "http://server.fedora41.test:8080/ca/ee/ca/profileSubmit" replied: access denied ("java.io.FilePermission" "/var/lib/pki/pki-tomcat/logs/ca" "read") which is known issue for pki. Current Date: Wed Jul 10 07:13:59 PM IST 2024 Certs Expire: 2026-06-30 12:02:08 IST Modified Date: date -s 'Wed Jun 07 06:54:58 PM IST 2026' Restart ipactl.