Ricardo Mendes wrote: > Hi Rob, > > Again thanks for your reply. So I got went to the commit that lasted > from 2017 and re-ran setup-le.sh > Output is here: > > https://pastebin.com/JAaD4R21 > > In the end I get this error: > > ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. > ipalib.backend: DEBUG: Destroyed connection > context.rpcclient_140213913461328 > ipapython.admintool: INFO: The ipa-certupdate command was successful > certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: > SEC_ERROR_INVALID_ARGS: security library: invalid arguments. > > If I try renew-le > > # bash renew-le.sh > certutil: could not find certificate named "Server-Cert": > PR_FILE_NOT_FOUND_ERROR: File not found > certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: > SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
I think you need to see what certs and keys are in /etc/httpd/alias. Sounds like there is no Server-Cert nickname. certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt > (btw https://lists.fedoraproject.org is down) Related to the Fedora infrastructure move. rob > > > Ricardo Mendes via FreeIPA-users wrote: > >> Ok so I don't know what happened the server really did take a long >> time to come up but it did. >> >> Everything looks pretty much the same. The setup-le.sh command I ran >> that said >> >>> The ipa-certupdate command was successful >> But I can't see it. I have to start ipa services with >> --ignore-service-failure and --skip-version-check >> When I go to web I still see the old expired certificate from May 21st. >> >> I tried to run renew-le and I get this error: >> >> # bash renew-le.sh >> Error opening Certificate /var/lib/ipa/certs/httpd.crt >> 140430772283280:error:02001002:system library:fopen:No such file or >> directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') >> 140430772283280:error:20074002:BIO routines:FILE_CTRL:system >> lib:bss_file.c:404: >> unable to load certificate >> > That's the incompatibilities I mentioned. I think if you pop the top one > or two commits off then it will start to work again. Look for a commit > that's like "switch to mod_ssl" and pop that off. > > rob > > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
