rui liang via FreeIPA-users wrote: > Because the PKI-tomcat service was not started at the time of the upgrade, it > was ignored and the related certificates could not be automatically renewed. > > host > version > fs-hiido-kerberos-server02.hiido.host.yydevops.com VERSION: 4.8.6, > API_VERSION: 2.236 > fs-hiido-kerberos-server03.hiido.host.yydevops.com VERSION: 4.8.6, > API_VERSION: 2.236 > fs-hiido-kerberos-server04.hiido.host.yydevops.com VERSION: 4.8.6, > API_VERSION: 2.236 > fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com VERSION: 4.3.1, > API_VERSION: 2.164 > fs-hiido-kerveros-test08.hiido.host.yydevops.com > VERSION: 4.8.6, API_VERSION: 2.236 > > Version 4.8 is currently in use > > ssh fs-hiido-kerberos-server02.hiido.host.yydevops.com > liangrui@fs-hiido-kerberos-server02:~$ cat /etc/ipa/default.conf > [global] > basedn = dc=yydevops,dc=com > host = fs-hiido-kerberos-server02.hiido.host.yydevops.com > realm = YYDEVOPS.COM > domain = yydevops.com > xmlrpc_uri = > https://fs-hiido-kerberos-server02.hiido.host.yydevops.com/ipa/xml > ldap_uri = ldapi://%2Fvar%2Frun%2Fslapd-YYDEVOPS-COM.socket > mode = production > enable_ra = True > ra_plugin = dogtag > dogtag_version = 10 > ca_host = fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com > > ssh fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com > root@fs-hiido-kerberos-21-117-149:/home/liangrui# kinit admin; ipa > config-show | grep CA > Password for [email protected]: > root@fs-hiido-kerberos-21-117-149:/home/liangrui# ipa config-show > Maximum username length: 32 > Home directory base: /home > Default shell: /bin/sh > Default users group: ipausers > Default e-mail domain: yydevops.com > Search time limit: 2 > Search size limit: 100 > User search fields: uid,givenname,sn,telephonenumber,ou,title > Group search fields: cn,description > Enable migration mode: FALSE > Certificate Subject base: O=YYDEVOPS.COM > Password Expiration Notification (days): 4 > Password plugin features: AllowNThash > SELinux user map order: > guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 > Default SELinux user: unconfined_u:s0-s0:c0.c1023 > Default PAC types: nfs:NONE, MS-PAC > > Not sure where CA is now? > What do I need to do to make the previous HTTPD service work > Can I use this command to fix it? ipa-cert-fix > https://manpages.debian.org/unstable/freeipa-server/ipa-cert-fix.1.en.html
ipa-cert-fix is not available, it was introduced with 4.8.0. Do you have multiple CA servers? Assuming your CA is the 4.3.1 machine you're likely to have to do something like: # getcert list Examine the not after dates Pick a date just before they all expire, while they are all valid Stop all of IPA Manually start the IPA services, skipping ntpd Restart certmonger to try to kick off the renewal Watch the journal for progress/errors from certmonger rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
