Hello,
I'm getting desperate, I'm still unable to fix my expired certificates on
my freeIPA master.
Summary:
- I discovered that my web ui SSL certificate had expired.
- the certificate lives in /etc/httpd/alias, is named Server-Cert
- for some reason, it is not tracked by ipa-getcert list
- from the web-ui, Authentication --> certificates fail:
- IPA Error 4301: CertificateOperationError
- Certificate operation cannot be completed: Unable to communicate
with CMS (Internal Server Error)
- I tried to set the system time back in time -> was unable to get
kinit credentials (revoked)
- I tried to set certmonger to track the expired certificate:
- ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
/etc/httpd/alias/pwdfile.txt
- status from ipa-getcert list:
- ca-error: Unable to determine principal name for signing
request.
- I followed some instructions to manually renew the certificates.
- at one point I need ipa cert-request to sign the request.
- but the ipa cert commands do not work, e.g.
- ipa cert-find
ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O=
QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate
has expired.)
ipa: ERROR: Certificate operation cannot be completed: Unable to
communicate with CMS (Not Found)
What could/should I do !?!?
Is is possible to manually renew the certificate using only certutil ?
Thanks for any help.
Karl
P.S
this runs in a freeipa-server docker container.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
