Jan Bundesmann via FreeIPA-users wrote: > Hi, thanks for your answer, > > That seems in line with not being able to communicate with the CA: > ``` > [root@ldap2 requests]# ipa cert-show 1 > ipa: ERROR: cannot connect to > 'https://ldap1:443/ca/agent/ca/displayBySerial': > (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. > ```
You want to do this on ldap1 to ensure that at the CA works. This does confirm that the RA cert is expired. > Unfortunately, I will have no access to the system before next monday to > obtain the `getcert list`. The status of the request is 'CA_WORKING' - that > much I can tell. > > I could not see any other response in the logs. (journalctl or > /var/log/messages) and the CSR does not seem to arrive at ldap1. But I > understand that I could manually bring the CSR to ldap1, sign it there, bring > it back... There are, however, a lot of points I'm unsure about. The tracking state is what I was looking for. CA_WORKING means that it is waiting for an updated certificate to become available. Is replication working between the two systems? Look on both LDAP servers in cn=ca_renewal,cn=ipa,cn=etc,dc=example,dc=test. There should be an entry for the RA agent there (along with the other renewed CA certificates). If the entry exists on ldap2 then getcert resubmit -d /etc/httpd/alias -n ipaCert should force it to try to pick it up. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
