[Freeipa-users] Re: can't enroll ubuntu 24

Fri, 20 Dec 2024 07:05:25 -0800 

Hi,

On Fri, Dec 20, 2024 at 11:40 AM Dmitry Krasov via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> "ipa-cert-fix" doesn't work.
> So I checked expire date and changed date to about 1 mounth before.
>
First, make sure that the machine where you are running the commands is the
CA renewal master:
# ipa config-show | grep renew
  IPA CA renewal master: server.ipa.test

The command ipa config-mod --ca-renewal-master-server=STR can be used to
set the machine as renewal master.

You need to carefully pick a date where all the certs are valid.
For the certificates in an NSS database, you can find the dates using
# certutil -L -d /path/to/NSSdatabase -n certnickname | grep -E 'Not
Before|Not After'

For instance:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'ocspSigningCert
cert-pki-ca' | grep -E 'Not Before|Not After'
            Not Before: Thu Dec 14 15:55:20 2023
            Not After : Wed Dec 03 15:55:20 2025

Then you need to find a date that fits before/after for all the
certificates. Move back to that date, restart the services (don't restart
ntpd or chronyd as it would bring you back to the current date), and call
getcert resubmit for one certificate at a time. If there are any errors,
they will be displayed in the journal.


HTH,
flo

But updated only 2 last certs.
> How can I fix the others?
> What's wrong with this CA? Maybe I should change it to other one some how?
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to