Hello everyone,

I'm running FreeIPA 4.4 (as shipped with current CentOS 7).  I had a series of 
unfortunate events which resulted in the entire cluster being offline for a 
matter of a couple weeks during which the certificate in /etc/httpd/alias 
expired.  I rolled back the clocks on all of the servers in the cluster and 
started them successfully, however, the certificates in /etc/httpd/alias did 
not get renewed.  Is there a process that automatically handles this or was I 
supposed to be maintaining that?

Additionally, based on:

https://www.freeipa.org/page/Howto/CA_Certificate_Renewal

...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger 
renewals across the boards, but now it appears that only the CA was updated as 
none of the server certificates were re-issued and are now all untrusted (I 
can't do "kinit admin" any longer as my realm is now down).  Is there any 
chance of rolling that back or issuing new certs to get things going again?

If I have to start over, that is certainly an option.  I'm just trying to get a 
better understanding of what I should have been doing to avoid this situation 
in the first place.

Thanks,

j
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to