Khurrum Maqb via FreeIPA-users wrote: > I do see the old CA Certificate listed here: > > # ipa-cacert-manage list > DOMAIN.COM IPA CA > DOMAIN.COM IPA CA > . > . > . > The ipa-cacert-manage command was successful > > and running `certutil -L -d /etc/httpd/alias -n "DOMAIN.COM IPA CA"` returns > details of both the expired CA Cert and the current renewed CA Cert. Is there > any other place where IPA is giving the older CA Cert a higher priority than > the renewed cert? And would deleting the old expired cert be the 'fix' for > this issue? > > It appears like I wouldn't be able to run ipa-cacert-manage delete DOMAIN.COM > IPA CA because there's a duplicate name in that list. Is there a way to tell > it to delete by Certificate ID or another unique identifier? > > I also am currently unable to log into the Web UI for this same reason. For > external websites, I have disabled Cert verification temporarily until this > is resolved so users are able to log in.
You can't delete the IPA CA using the delete command so it wouldn't help you in this case. It is OpenSSL that is not handling the multiple certs, I'm not sure why in this case. But you can clean up the expired one pretty easily: Use your favorite LDAP tool (Apache studio, ldapmodify, etc) to look in: cn=certificates,cn=ipa,cn=etc,dc=example,dc=test Identify which caCertificate is the expired one and remove the value. On output it will likely appear (depending on tool) as a base64-encoded blob. You'll need to either convert it to DER (easier) or PEM format to see the details of it. I'd base64-decode it and write it to a file and then use openssl x509 -text -inform der -in /path/to/file to examine it. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
