Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > You may recall earlier when I said that we wound up pulling an expired cert > on one of our staging IPA replicas after updating the xmlrpc_server variable > to point to a different host. It's not clear to us how best to fix that cert > (although I suppose we could roll back time on the box), so we're wondering > if we can update the certificate using openssl and then adding the entry > using something like this: > > certutil -A -d /etc/httpd/alias -n 'ipaCert' -t u,u,u -a -i > /root/renew/new_ipaCert.crt > > Thoughts? We don't need to go this route but we're gaming out > recovery/alternate solutions in the event our efforts to fix prod fail. > > I'm on IRC now if responses there would be faster or easier for you.
I was with you until you mentioned openssl. The current cert should already exist on the current IPA CA renewal master. You can export the cert from there with: certutil -L -d /etc/httpd/alias -n ipaCert -a > /path/to/somewhere Then use the certutil command you mentioned to import it. Once imported restart httpd and I'd confirm that the master can talk to the CA by running: ipa cert-show 1 The actual contents of the cert don't matter but this will show that end-to-end connectivity is there and that the master has the right RA cert. rob _______________________________________________ FreeIPA-users mailing list -- firstname.lastname@example.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org