I do see the old CA Certificate listed here: # ipa-cacert-manage list DOMAIN.COM IPA CA DOMAIN.COM IPA CA . . . The ipa-cacert-manage command was successful
and running `certutil -L -d /etc/httpd/alias -n "DOMAIN.COM IPA CA"` returns details of both the expired CA Cert and the current renewed CA Cert. Is there any other place where IPA is giving the older CA Cert a higher priority than the renewed cert? And would deleting the old expired cert be the 'fix' for this issue? It appears like I wouldn't be able to run ipa-cacert-manage delete DOMAIN.COM IPA CA because there's a duplicate name in that list. Is there a way to tell it to delete by Certificate ID or another unique identifier? I also am currently unable to log into the Web UI for this same reason. For external websites, I have disabled Cert verification temporarily until this is resolved so users are able to log in. Thanks! _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
