I've finally had a chance to make this attempt and after running the clean up:

# python /usr/share/pki/scripts/restore-subsystem-user.py -v
Subsystem certificate: 2;4;CN=Certificate Authority,O=DOMAIN.TLD;CN=CA 
User CA-ipa4.domain.tld-9443 has subsystem certificate
User already in Subsystem Group
User has the correct certificate mapping
Subsystem user CA-ipa4.domain.tld-9443 is OK

It was strange that it listed ipa4 since that is not one of our current CAs 
just a normal replica.  I'm guessing that it was likely a CA at one point but 
was converted.  Perhaps incorrectly?

# ipa-replica-prepare ipa5.domain.tld
Directory Manager (existing master) password:

Preparing replica for ipa5.domain.tld from ipa1.domain.tld
Creating SSL certificate for the Directory Server
ipa         : ERROR    cert validation failed for 
Certificate has expired.)
preparation of replica failed: cannot connect to 
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
cannot connect to 
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
  File "/usr/sbin/ipa-replica-prepare", line 529, in <module>

  File "/usr/sbin/ipa-replica-prepare", line 400, in main
    export_certdb(api.env.realm, ds_dir, dir, passwd_fname, "dscert", 
replica_fqdn, subject_base)

  File "/usr/sbin/ipa-replica-prepare", line 151, in export_certdb

I know the cert wasn't expired prior to running these two commands.   When I 
look at ipa-getcert list all the expiry dates for requests in MONITORING status 
show 2019 unless I'm looking in the wrong area.
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to