[Freeipa-users] Re: ipa.service "fails" to start

Thu, 25 Oct 2018 08:47:55 -0700 

Hi Rob, thanks much.

Some of Flo's blogs about CA helps me to understand better now. Sure "ipa 
cacert-manage renew" and "ipa-certupdate" was run before, hopefully not 
harmful, "caSigningCert cert-pki-ca" was valid for 18 more years. 

You're right, there is mix of old and renewed ones, three requres renewal:
auditSigningCert, subsystemCert and ipaCert , all expired on 2018-08-14. 
Time I went back was 7 days earlier, 2018-08-07

Sorry, nothing to revert, please let me know what would you suggest now. The 
state of certs is:

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=CA Audit,O=DOMAIN.COM
expires: 2018-08-14 20:49:38 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=OCSP Subsystem,O=DOMAIN.COM
expires: 2020-10-11 20:15:53 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=CA Subsystem,O=DOMAIN.COM
expires: 2018-08-14 20:49:36 UTC

status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=Certificate Authority,O=DOMAIN.COM
expires: 2038-10-22 18:15:48 UTC
        
status: MONITORING
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
subject: CN=IPA RA,O=DOMAIN.COM
expires: 2018-08-14 20:50:00 UTC
        
status: MONITORING
certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
subject: CN=ca-ldap01.DOMAIN.com,O=DOMAIN.COM
expires: 2020-07-07 01:47:45 UTC
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

Reply via email to