Dear flo,
there is only one certificate that failed to renew, and the repair
should (hopefully) be straightforward.
First of all, please confirm that the server is the CA renewal master:
# ipa config-show | grep "CA renewal"
Although I can kinit on other hosts this fails on what I consider to be
our CA master.
kinit sm
kinit: Cannot contact any KDC for realm 'OUR_REALM' while getting
initial credentials
and would normally work up until the expiry.
Now if I try from one of our clients
kinit works
ipa config-show | grep "CA renewal"
ipa: ERROR: cannot connect to 'https://PRIMARY_SERVER/ipa/json': [Errno
111]
Connection refused
which has happened since the expiry and web services etc being
unavailable which seems to make sense.
Attempt on one of the other freeipa servers, kinit works, but ipa command
fails with:
ipa: ERROR: cannot connect to 'https://THIS_SERVER/ipa/json':
(SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
The output should display your hostname. If that's not the case, we need
more information (which host is CA renewal master, are all the certs
valid on this host?)
What would you like me to gather next? I am being cautious as I don't
want the user service to fail, but worry not everything is working as it
should be.
Thanks.
Best wishes
Stuart
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
