Jochen Kellner via FreeIPA-users <[email protected]> writes:
> In IPA I have four certificates for "IPA RA" - one (the oldest) revoked, > two are expired in 2017 and 2019 and one valid until next year. > > The certificate in CS.cfg is expired: > > Serial Number: 268173317 (0xffc0005) > ... > Validity > Not Before: Dec 30 06:29:19 2017 GMT > Not After : Dec 20 06:29:19 2019 GMT > Subject: O = EXAMPLE.ORG, CN = KRA Transport Certificate > > certutl has the correct (valid) cert: > > Serial Number: 268238930 (0xffd0052) > ... > Validity > Not Before: Dec 13 13:56:29 2019 GMT > Not After : Dec 2 13:56:29 2021 GMT > > So, when installing the replica I got an older, expired cert in CS.cfg, > but the certificate in nssdb is newer and valid. I've fixed that manually on the new replica by copying the valid certificate from LDAP into the CS.cfg files. > Thanks for the "I need more context" ping. I looked at IPA bugs but > nothing looked similar to this case. OTOH I would expect that far more > people would also have this problem. I'll see what the last replica looks like after the refresh when all other replicas have been fixed. Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
