Hey Rob, I have an update that'll close out this thread.
We discovered that the code in the pki-ca was looking for a CN of the IPA RA's serial number in ou=certificateRepository,ou=ca,o=ipaca. This didn't exist and we realized it might be part of the problem. It turns out that it was which helps explain the NPE we saw in the original error. We ultimately had to create a local ldif for the current IPA RA certificate in production, add the new cn entry to "ou=certificateRepository,ou=ca,o=ipaca", and attempt a resubmit operation. We had a little trouble deciphering some of the metaInfo, specifically the "requestId" as ou=ca,ou=requests,o=ipaca was also missing a request entry for our IPA RA certificate. After testing in staging, we felt comfortable pushing to production pointing at the previous certificates ou=ca,ou=requests,o=ipaca entry. The resubmit worked late last week. Thanks for your help. Scott _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org