The person who set this up is no longer available. We have 6 IPA servers in a cluster, all set as MASTER. All servers are running IPA v. 4.6.4. On 8 March the CA Subsystem certificate expired. When looking at the certificate I noticed it had an incorrect Common Name, which may be why it didn't renew. I checked the pki-tomcat CS.cfg and the two lines ca.subsystem.cert - Has cert with incorrect hostname listed ca.subsystem.certreq - Has cert request for correct ca subsystem cert (Common Name CA Subsystem)
I tried removing the errant ca subsystem cert from the NSS DB in pki-tomcat/alias and was successful. I then tried to request a new SubSystem Cert using this command getcert request -I CASubsystem -c dogtag-ipa-renew-agent -d /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -N 'cn=CA Subsystem,o=IPA.*****.NET' -P 'PIN_FROM_FILE' -t 'NSS Certificate DB' And that seems to at least have issued the request because 'getcert list' shows the request, but with a CA_REJECTED message. If I do an ldapsearch for the certificate, it shows the the correct cert with CN=CA Subystem, but the one that expired on 8 March. How can I get a valid CA Subsystem cert again so I can start the CA on all IPA servers? -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
