Hi Rob, Thanks a lot for your reply.
> It's because you are in the middle of an upgrade. You can add > --skip-version-check to not do the upgrade until after the certs are renewed. Amazing! So I turned back the clock and: # ipactl restart --ignore-service-failure --skip-version-check Skipping version check Failed to get service list from file: Unknown error when retrieving list of services from file: [Errno 2] No such file or directory: '/var/run/ipa/services.list' Restarting Directory Service Restarting krb5kdc Service Restarting kadmin Service Restarting named Service Restarting httpd Service Restarting ipa-custodia Service Restarting ntpd Service Restarting pki-tomcatd Service Failed to restart pki-tomcatd Service Forced restart, ignoring pki-tomcatd Service, continuing normal operation Restarting ipa-otpd Service Restarting ipa-ods-exporter Service Restarting ods-enforcerd Service Restarting ipa-dnskeysyncd Service ipa: INFO: The ipactl command was successful I did as Florence said and set the time back. Then I imported the github.com/freeipa/freeipa-letsencrypt, edited as necessary and ran setup-le.sh It shows some errors like, I am including the full output here: https://pastebin.com/S07vqXLy In the end has this: ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140667189670224 ipapython.admintool: INFO: The ipa-certupdate command was successful Error opening Private Key /var/lib/ipa/private/httpd.key 139927634605968:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/private/httpd.key','r') 139927634605968:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load Private Key > These are just two different wrappers around let's encrypt certificates. As > long as it can find the key(s) then it should work either way (one uses HTTP > and one uses DNS). The real trick is what version(s) of IPA those support and > where it is looking for the certificates. The cert locations and storage are > different depending on the version of IPA. I am assuming the script from antevens uses DNS. But how can it not matter if someone is using an up to date version of freeipa and Florence mentioned > - ipaCert is not stored any more in the NSS database /etc/httpd/alias, it is > now in /var/lib/ipa/ra-agent.{key|pem} So if this has changed and the scripts of that letsencrypt repo haven't been edited in over an year, is it supposed to work? Or is it not compliant with the latest IPA versions? Btw, after setup-le.sh finished I set the time back and rebooted the server. It seems like now it's not coming up at all ..... I'll have to VNC to it and see what happened.... _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org