Scott Stevson via FreeIPA-users wrote:
> Hey Rob,
> You may recall earlier when I said that we wound up pulling an expired cert 
> on one of our staging IPA replicas after updating the xmlrpc_server variable 
> to point to a different host.  It's not clear to us how best to fix that cert 
> (although I suppose we could roll back time on the box), so we're wondering 
> if we can update the certificate using openssl and then adding the entry 
> using something like this:
> certutil -A -d /etc/httpd/alias -n 'ipaCert'  -t u,u,u -a -i 
> /root/renew/new_ipaCert.crt
> Thoughts? We don't need to go this route but we're gaming out 
> recovery/alternate solutions in the event our efforts to fix prod fail.
> I'm on IRC now if responses there would be faster or easier for you.

I was with you until you mentioned openssl. The current cert should
already exist on the current IPA CA renewal master. You can export the
cert from there with:

certutil -L -d /etc/httpd/alias -n ipaCert -a > /path/to/somewhere

Then use the certutil command you mentioned to import it.

Once imported restart httpd and I'd confirm that the master can talk to
the CA by running:

ipa cert-show 1

The actual contents of the cert don't matter but this will show that
end-to-end connectivity is there and that the master has the right RA cert.

FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to