I posted this in the earlier thread, but didn't get a response. I was able
to fix this on the master, but "getcert list -d /etc/httpd/alias -n
"Server-Cert" on the replica doesn't return anything. Are the replica's SSL
certs handled differently ?

On Tue, May 23, 2017 at 3:08 PM, Alexander Bokovoy via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> On ti, 23 touko 2017, Jake via FreeIPA-users wrote:
>
>> Worked! Thanks!
>>
>> I Suppose there isn't a way to get the output of getcert as
>> JSON/object? I would prefer to do this with ansible =)
>>
> Not directly. You may want to explore D-Bus interface provided by
> certmonger.
>
>
>> Also, "sudo systemctl restart httpd" post renewal (looks like the hooks
>> aren't configured for the cert renewal to restart dependent services.)
>>
> For httpd certs configured by IPA install, there is a script that
> restarts httpd, as can be seen in 'post-save command' below:
>
> Request ID '20170215074615':
>         status: MONITORING
>         stuck: no
>         key pair storage: type=NSSDB,location='/etc/http
> d/alias',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>         certificate: type=NSSDB,location='/etc/http
> d/alias',nickname='Server-Cert',token='NSS Certificate DB'
>         CA: IPA
>         issuer: CN=Certificate Authority,O=EXAMPLE.COM
>         subject: CN=ipa.example.com,O=EXAMPLE.COM
>         expires: 2019-01-29 18:11:46 UTC
>         dns: ipa.example.com
>         key usage: digitalSignature,nonRepudiatio
> n,keyEncipherment,dataEncipherment
>         eku: id-kp-serverAuth,id-kp-clientAuth
>         pre-save command:       post-save command:
> /usr/libexec/ipa/certmonger/restart_httpd
>         track: yes
>         auto-renew: yes
>
>
> --
> / Alexander Bokovoy
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to