I posted this in the earlier thread, but didn't get a response. I was able to fix this on the master, but "getcert list -d /etc/httpd/alias -n "Server-Cert" on the replica doesn't return anything. Are the replica's SSL certs handled differently ?
On Tue, May 23, 2017 at 3:08 PM, Alexander Bokovoy via FreeIPA-users < firstname.lastname@example.org> wrote: > On ti, 23 touko 2017, Jake via FreeIPA-users wrote: > >> Worked! Thanks! >> >> I Suppose there isn't a way to get the output of getcert as >> JSON/object? I would prefer to do this with ansible =) >> > Not directly. You may want to explore D-Bus interface provided by > certmonger. > > >> Also, "sudo systemctl restart httpd" post renewal (looks like the hooks >> aren't configured for the cert renewal to restart dependent services.) >> > For httpd certs configured by IPA install, there is a script that > restarts httpd, as can be seen in 'post-save command' below: > > Request ID '20170215074615': > status: MONITORING > stuck: no > key pair storage: type=NSSDB,location='/etc/http > d/alias',nickname='Server-Cert',token='NSS Certificate > DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: type=NSSDB,location='/etc/http > d/alias',nickname='Server-Cert',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=EXAMPLE.COM > subject: CN=ipa.example.com,O=EXAMPLE.COM > expires: 2019-01-29 18:11:46 UTC > dns: ipa.example.com > key usage: digitalSignature,nonRepudiatio > n,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: post-save command: > /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > -- > / Alexander Bokovoy > _______________________________________________ > FreeIPA-users mailing list -- email@example.com > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org