hi, sorry for the delay, priorities shifted a bit.
Let's see, the serial # and validity of the cert in the kdc with problems: - note the serial ID of the cert, its subject and issuer: [root@kdc2 ~]# openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption Issuer: O=SUB.DOMAIN.TLD, CN=Certificate Authority Validity Not Before: Dec 15 13:58:44 2017 GMT Not After : Dec 5 13:58:44 2019 GMT Subject: O=SUB.DOMAIN.TLD, CN=IPA RA So it looks like this did not get renewed # ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password: <snip> dn: uid=ipara,ou=people,o=ipaca description: 2;80;CN=Certificate Authority,O=SUB.DOMAIN.TLD;CN=IPA RA,O=SUB.DOMAIN.TLD IT cn: ipara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser userCertificate:: <snip> userCertificate:: <snip> userstate: 1 usertype: agentType sn: ipara uid: ipara So I have two userCertificates, the first one is the one in the file system on the broken kdc in /var/lib/ipa/ra-agent.pem. The second one is the one in the working kdc. The serial number is the one on the certificate on the working kdc, which was renewed on Nov 8th succesfully. So do I need to copy the ra-agent.pem and key from the working kdc to the broken kdc? -- Groeten, natxo
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org