On Thu, Jun 10, 2021, at 5:45 PM, Rob Crittenden wrote: > So you've run ipa-replica-prepare <host> and then ship that file to > <host> right?
Exactly. > At some point we started re-generating the CA certs file > (/root/cacert.p12) during preparation. Did we do this in F21? I have no > idea. > > Can you use pk12util to look at the contents of that file? The password > is the initial DM password. Look for expirations, things like that. > > # pk12util -l /root/cacert.p12 All the "Not After" dates were in 2022 or 2034, and the "Not Before" dates were all before 2020. So I that all seems fine. > > You can generate a new one but it requires putting passwords into files > temporarily. > > If you need to generate a new one make a backup of the current, put the > passwords in files per below and run this: > > # PKCS12Export -d /etc/pki/pki-tomcat/alias/ -p /tmp/nssdbpwd -w > /tmp/pk12pwd -o /root/cacert.p12 > > The NSS db password is in /etc/pki/pki-tomcat/password.conf the value > internal. > > Otherwise I'm not sure what would generate the socket error except a > real network issue. Can you run wireshark on the new server during the > install to see what is happening? I could, but these two systems are both VM guests on the same VMware server, on the same virtual subnet. But I will take a deep dive today into the network and see if I can find anything there. > > rob > > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure