stefano.antonelli@cnaf via FreeIPA-users wrote: > Dear All > > we have a three nodes FreeIPA 4.6.8 installation with third part > certificate (https / dirsrv). This certificate has expired and when I > try to follow the > > ipa-cacert-manage install ... > ipa-certupdate I get the error: "cannot connect to > https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED] > certificate verify failed (_ssl.c:618)"
Why are you running this command? Did you change the CA at the same time? If not then ipa-server-certinstall is what you want. > I suppose that this is due to the fact that https connection is blocked > for expired certificate which I can't renew. Yep. > Is there a way to bypass this? Go back in time as you tried. > I've tried to set a date on the server previous than the expiring one of > the cert, but I get an SASL/GSSAPI error (even if I renew admin ticket). I guess make sure that your time daemon, if any, is stopped. > I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with new > cert/key but I don't know how Theoretically possible but ipa-server-certinstall should handle it for you. Manual is prone to error. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
