Tobi Berninger via FreeIPA-users wrote: > Hello, > > i upgrade my centos 7.5 ipaserver to an new version and runned into a > few problems. > > It seems like 'subsystemCert cert-pki-ca' is expired nearly a month ago > (jul 22) and i am not sure how to renew it. > When i run the ipa-server-upgrade manual, i run into a error with the ca > certificates and in the log i found that line: > Internal Database Error encountered: Could not connect to LDAP server > host ipababy.int.asta-frankfurt.de > <http://ipababy.int.asta-frankfurt.de> port 636 Error > netscape.ldap.LDAPException: Unable to create socket: > org.mozilla.jss.ssl.SSLSocketException: > org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: > (-8181) Peer's Certificate has expired. (-1) > > When i run ipactl start, tomcatd and httpd wont start. > > I allready tried to turn back time, but i dont know how to manual start > pki-tomcatd or any other way to renew the certificates. > Or do i look in the wrong diection the whole time? >
I'd run ipactl stop, roll back time, manually start dirsrv, httpd and pki-tomcat, then restart certmonger which should kick off renewals. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/KVM7PM5FUKGRX7LL2AKGSV2TVPQSYDXQ/