I have an update that'll close out this thread.
We discovered that the code in the pki-ca was looking for a CN of the IPA RA's
serial number in ou=certificateRepository,ou=ca,o=ipaca. This didn't exist and
we realized it might be part of the problem. It turns out that it was which
helps explain the NPE we saw in the original error.
We ultimately had to create a local ldif for the current IPA RA certificate in
production, add the new cn entry to "ou=certificateRepository,ou=ca,o=ipaca",
and attempt a resubmit operation. We had a little trouble deciphering some of
the metaInfo, specifically the "requestId" as ou=ca,ou=requests,o=ipaca was
also missing a request entry for our IPA RA certificate. After testing in
staging, we felt comfortable pushing to production pointing at the previous
certificates ou=ca,ou=requests,o=ipaca entry. The resubmit worked late last
Thanks for your help.
FreeIPA-users mailing list -- email@example.com
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org