Hello,

I'm getting desperate, I'm still unable to fix my expired certificates on
my freeIPA master.

Summary:

   -  I discovered that my web ui SSL certificate had expired.
   -   the certificate lives in /etc/httpd/alias, is named Server-Cert
   -   for some reason, it is not tracked by ipa-getcert  list
   -   from the web-ui, Authentication --> certificates fail:
      -  IPA Error 4301: CertificateOperationError
      -   Certificate operation cannot be completed: Unable to communicate
      with CMS (Internal Server Error)
   -   I tried to set the system time back in time -> was unable to get
   kinit credentials (revoked)
   -   I tried to set certmonger to track the expired certificate:
      - ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
      /etc/httpd/alias/pwdfile.txt
      - status from ipa-getcert  list:
         -  ca-error: Unable to determine principal name for signing
         request.
      - I followed some instructions to manually renew the certificates.
   - at one point I need ipa cert-request to sign the request.
      - but the ipa cert commands do not work, e.g.
      - ipa cert-find
      ipa: ERROR: cert validation failed for "CN=ipa.quartzbio.com,O=
      QUARTZBIO.COM" ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate
      has expired.)
      ipa: ERROR: Certificate operation cannot be completed: Unable to
      communicate with CMS (Not Found)

What could/should I do !?!?

Is is possible to manually renew the certificate using only certutil ?


Thanks for any help.

Karl

P.S

this runs in a freeipa-server docker container.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to