Nacho Marti via FreeIPA-users wrote: > Hi! The logs from /var/log/pki/pki-tomcat/ca/debug just says that cannot > connect to the ldap also i found this: cert not found:auditSigningCert > cert-pki-ca > [10/Dec/2024:12:43:27][localhost-startStop-1]: CMSEngine: > Exception:org.mozilla.jss.crypto.ObjectNotFoundException: Certificate not > found: auditSigningCert cert-pki-ca > > Internal Database Error encountered: Could not connect to LDAP server host > test.test.private port 636 Error netscape.ldap.LDAPException: Unable to > create socket: org.mozilla.jss.ssl.SSLSocketException: > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) > Peer's certificate issuer has been marked as not trusted by the user. (-1) > > Thanks in advance! > > Best regards > > I think the certificates are also expired do you know how to get them renewed?
You think they are or they are? As Flo said, use getcert to find out. # getcert list | grep expires For renewing them if they are expired see https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#renewing-expired-system-certificate-when-idm-is-offline This should only be run on the server configured as the renewal master. You can find out by searching for it: $ ldapsearch -LLL -x -D 'cn=Directory Manager' -W -b cn=masters,cn=ipa,cn=etc,dc=example,dc=test "ipaConfigString=caRenewalMaster" dn You'll get a response like: dn: cn=CA,cn=ipa.example.test,cn=masters,cn=ipa,cn=etc,dc=example,dc=test The second CN value in the DN is the renewal master. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
