On Thu, Jul 13, 2017 at 10:55:39AM +0200, Karl Forner wrote:
> Hi,
> 
> 
> > To recover from this situation you should reinstall the old CA
> > certificate via ipa-cacert-manage.  If you can't find a copy of that
> > lying around you should (for a self-signed IPA CA) be able to
> > retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca.
> > (Probably cn=1,ou=certificateRepository,ou=ca,o=ipaca but you should
> > check the subject and validity before installing it to make sure the
> > particulars are correct).  The attribution you want is
> > 'userCertificate;binary'.
> >
> 
> 
> Actually after ipa-cacert-manage, I used a backup to roll back the changes,
> so I do think that my CA has not been actually changed.
> I was just surprised not to be able to restart the httpd service, but it
> was due to the expired SSL certificate.
> 
Thanks; I missed the detail about the rollback.

> Thanks a lot.
> Karl
> 
> 
> 
> 
> > HTH,
> > Fraser
> >
> > > From your description it sounded like you just wanted the CA to issue a
> > new
> > > certificate for your IPA UI, this you can do via the interface.
> > >
> > > https://access.redhat.com/documentation/en-US/Red_Hat_
> > Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_
> > Guide/certificates.html#certificate-request-ui
> > >
> > >
> > >
> > > On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users <
> > > freeipa-users@lists.fedorahosted.org> wrote:
> > >
> > > > The problem is that the SSL certificate was not renewed by  the
> > > > "ipa-cacert-manage renew" command.
> > > > So the http server refuses to start.
> > > > Hence my question: what is the correct way to renew the SSL
> > certificate ??
> > > >
> > > > Thanks.
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > > To unsubscribe send an email to freeipa-users-leave@lists.
> > fedorahosted.org
> > > >
> > > --
> > > Callum Guy
> > > Head of Information Security
> > > X-on
> > >
> > > --
> > >
> > >
> > >
> > > *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> > > <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/
> > XonTel>
> > >   <https://twitter.com/xonuk> *
> > > X-on is a trading name of Storacall Technology Ltd a limited company
> > > registered in England and Wales.
> > > Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> > > Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> > > The information in this e-mail is confidential and for use by the
> > > addressee(s) only. If you are not the intended recipient, please notify
> > > X-on immediately on +44(0)333 332 0000 and delete the
> > > message from your computer. If you are not a named addressee you must not
> > > use, disclose, disseminate, distribute, copy, print or reply to this
> > email. Views
> > > or opinions expressed by an individual
> > > within this email may not necessarily reflect the views of X-on or its
> > > associated companies. Although X-on routinely screens for viruses,
> > > addressees should scan this email and any attachments
> > > for viruses. X-on makes no representation or warranty as to the absence
> > of
> > > viruses in this email or any attachments.
> > >
> >
> > > _______________________________________________
> > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > > To unsubscribe send an email to freeipa-users-leave@lists.
> > fedorahosted.org
> >
> >
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to