Scott Stevson via FreeIPA-users wrote:
> Hi all,
> We run IPA 3.0.0 and have a cert on the CA master expiring in about 10 days. 
> The problem is that we mistakenly provisioned the last cert using an old 
> hostname which means that automatically renewing the cert fails, and the IPA 
> cert checks we run fails with...
> ca-error: Server at "http://correct.hostname:9180/ca/ee/ca/profileSubmit"; 
> replied: 1: Server Internal Error.  
> I also get a java NPE error when curling that endpoint.
> Is it possible to zero out the existing cert and resubmit it with the correct 
> hostname?  This is a production environment supporting several thousand hosts 
> which means I want to test whatever solution I come up with.  We have a few 
> staging environments but they're all configured correctly, so I'm wondering 
> if we can intentionally put one into a similar bad state and revert it.
> Happy to provide clarifying information if I'm not making sense here.

Yeah, more details are needed. What cert is provisioned with an old
hostname and how did someone manage to do that?

What does the CA debug log say when it is failing?

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to