On Wed, Jul 12, 2017 at 11:38 AM, Callum Guy <callum....@x-on.co.uk> wrote:

> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the CA certificate which presumably would invalidate all
> existing certificates it has authorised.

I guess you are right. It rather seems that the SSL certificate of the web
UI is not tracked by ipa:

# ipa-getcert list
Request ID '20150826135329':
    status: MONITORING
    stuck: no
    key pair storage: type=FILE,location='/tmp/webserver.key'
    certificate: type=FILE,location='/tmp/webserver.crt'
    CA: IPA
    issuer: CN=Certificate Authority,O=QUARTZBIO.COM
    subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM
    expires: 2017-08-26 13:53:32 UTC
    principal name: HTTP/apache.quartzbio....@quartzbio.com
    key usage:
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

but the actual certificate is in /etc/https/alias:
# certutil -L -d /etc/httpd/alias/ -n "Server-Cert"
        Version: 3 (0x2)
        Serial Number: 9 (0x9)
        Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
        Issuer: "CN=Certificate Authority,O=QUARTZBIO.COM"
            Not Before: Thu Jul 09 09:42:56 2015
            Not After : Sun Jul 09 09:42:56 2017

> From your description it sounded like you just wanted the CA to issue a
> new certificate for your IPA UI, this you can do via the interface.
> https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> Guide/certificates.html#certificate-request-ui
I'm not so sure: inspecting the host corresponding to my replica which is
working (SSL certificate still valid), shows:
Host Certificate
Certificate: No Valid Certificate

Moreover these certificates already exist, they just should be renewed.

Anyway I still tried ,but the submission of a newly generated certificate
failed with "error, expired certificate"

Thank you for your help.

> On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>> The problem is that the SSL certificate was not renewed by  the
>> "ipa-cacert-manage renew" command.
>> So the http server refuses to start.
>> Hence my question: what is the correct way to renew the SSL certificate ??
>> Thanks.
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-leave@lists.
>> fedorahosted.org
> --
> Callum Guy
> Head of Information Security
> X-on
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 <+44%20333%20332%200000> and
> delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. 
> Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to