The certificate that I tried to install was a self signed certificate. Here is the contents of the file: /var/log/ipaserver-install.log
2013-10-21 11:42:44,031 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' 2013-10-21 11:42:44,032 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2013-10-21 11:42:44,032 DEBUG httpd is configured 2013-10-21 11:42:44,032 DEBUG ipa_kpasswd is configured 2013-10-21 11:42:44,032 DEBUG dirsrv is configured 2013-10-21 11:42:44,033 DEBUG pki-cad is configured 2013-10-21 11:42:44,033 DEBUG pkids is configured 2013-10-21 11:42:44,033 DEBUG install is configured 2013-10-21 11:42:44,033 DEBUG krb5kdc is configured 2013-10-21 11:42:44,033 DEBUG ntpd is not configured 2013-10-21 11:42:44,033 DEBUG named is not configured 2013-10-21 11:42:44,033 DEBUG filestore has files The (good) backup server here is the contents of the certificate: [root@xxxxx ~]# ipa-getcert list Number of certificates and requests being tracked: 2. Request ID '20111020180721': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xxx ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-xxx//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xx',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=xxxxxx.xxx subject: CN=xxxxxxx.xxxxxx.xxx,O=xxxxxxx.xx expires: 2015-09-23 17:46:26 UTC eku: id-kp-serverAuth,id-kp-clientAuth command: track: yes auto-renew: yes Request ID '20111020180816': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=xxxxxx.xxx subject: CN=xxxxxx.xxxx.xxx,O=xxxxxxx.xxx expires: 2015-09-23 17:46:26 UTC eku: id-kp-serverAuth,id-kp-clientAuth command: track: yes auto-renew: yes regards Roger -----Original Message----- From: Rob Crittenden [mailto:rcrit...@redhat.com] Sent: Wednesday, October 30, 2013 3:29 PM To: Vaede, Roger (Contractor); 'freeipa-devel@redhat.com' Subject: Re: [Freeipa-devel] certificate renewal Vaede, Roger (Contractor) wrote: > I did try to replace the certificate with a self signed one at one point but > then I was getting an error saying the certificate wasn't valid. Ok, I need to get a better handle on how this was originally installed in order to guide you. Can you look to see if /var/log/ipaserver-install.log still exists? It should have the original arguments passed. What I need to know is if this was installed using a dogtag CA or if it was installed as a selfsign server. rob > > Regards > Roger > > -----Original Message----- > From: Vaede, Roger (Contractor) > Sent: Wednesday, October 30, 2013 2:37 PM > To: 'Rob Crittenden'; 'freeipa-devel@redhat.com' > Subject: RE: [Freeipa-devel] certificate renewal > > I never installed freeipa, the person that installed it left the company. > I removed the request ID at one point by using the stop-tracking command then > I used this command to reinstate them: > ipa-getcert start-tracking -d /var/lib/pki-ca/alias -n ServerCert -r > > Initially they expired around October 25th. > > Regards > Roger > > -----Original Message----- > From: Rob Crittenden [mailto:rcrit...@redhat.com] > Sent: Wednesday, October 30, 2013 2:30 PM > To: Vaede, Roger (Contractor); 'freeipa-devel@redhat.com' > Subject: Re: [Freeipa-devel] certificate renewal > > Vaede, Roger (Contractor) wrote: >> I have two IPA servers, one primary and one is backup. (Redhat 5) > > What version of ipa-server is this? > >> The primary servers certificate has expired. >> >> I am not able to renew it. >> >> I turned off the ssl on the clients and now the users can login. >> >> I did a lot of research on certificate renewal and I am lost at this point. >> >> I am able to make changes using the backup IPA server. > > This getcert output is quite strange. Did you start these tracking yourself? > > Did you replace the IPA CA certificate at some point? > > rob > > _______________________________________________ Freeipa-devel mailing list Freeipa-devel@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-devel