No I didn't go back in time, I generated new certificates and imported them to
NSS DB after deleting the ones that contained Principles that had other hosts
listed.
I then updated the CS.cfg with the cert and certreq values, and made sure the
CA Subsystem cert in NSS DB matched what is in LDAP.
I'm not sure what logs to look at. /etc/pki/pki-tomcat/ca/selftest has no
errors /etc/pki/pki-tomcat/ca/system has the last error from before I got ipa
to fully start. The debug log has a lot of information, but nothing that looks
like an error.
I've got no expired certs
# getcert list | grep expires
expires: 2025-01-26 11:37:18 UTC
expires: 2025-01-26 11:37:04 UTC
expires: 2026-03-12 13:24:44 UTC
expires: 2034-04-01 11:38:26 UTC
expires: 2034-04-01 11:32:48 UTC
expires: 2034-04-01 11:35:47 UTC
expires: 2037-03-21 04:43:44 UTC
expires: 2024-12-24 11:37:06 UTC
expires: 2025-01-26 11:41:35 UTC
Trust attributes all look correct in /etc/pki/pki-tomcat/alias
# certutil -L -d .
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
Certmonger tracking shows correct now with the Subject having the CN and O in
the correct order.
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
