I have tried my luck around with all the helpers: `pki-server cert-fix`, `ipa-cacert-manage`, `ipa-certupdate`, etc. but each one is failing on me for multiple reasons. - `ipa-cacert-manage` Cannot update the CA with `--external-cert-file` because the root ca is not detected to be in the trust list - `ipa-cert-fix` Was run without overlapping validity time, and the certificate were re-created, so now it is not recoverable, neither back in time, nor in current time - `pki-tomcat` is failing
It is quite a mess and I would like to ask for some guidance on how one could recover manually from such dependency issues: - Is it possible to do a `ipa-server-install` and keep the user data? - If I sign all of the service's certificates manually, what are all of the manual steps needed to get the services back up so that the helpers can be run. - I've tried to install the CA certificate in the nssdb database, ldap, and /etc/ipa/ca.crt. Are there other locations? - I've recreated an httpd certificate signed by the root, but I can't figure how to do the same with the ones located in the nssdb database, i.e. to recreate a csr with the same data as one of the certificates there - What is the order of services that should be updated. My understanding is CA -> `certutil`'s CA -> httpd + slapd + pki-tomcat (not sure where the last one is or how to edit it) -> `ipa-certupdate` _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue