Thanks for the detailed instructions! I will have to do this process on the weekend. Cant bring down the server now. I'll proceed with stopping ntpd/chronyd and rolling back the date to when the certificates were valid, then follow the steps you've outlined. I'll also keep an eye on getcert list to ensure everything gets renewed properly.
Like I mentioned before, I inherited these FreeIPA servers. Before I do any of the steps you've outlined, Is it possible to install and configure a new master server and replica with the latest version of FreeIPA, including CA and DNS, and then replace the current master server with the new setup? If so, what would be the best approach for that transition? On Wed, 4 Sept 2024 at 14:42, Rob Crittenden <[email protected]> wrote: > Azim Siddiqui wrote: > > ipa-cert-fix command is not working on the Freeipa master server. > > > > The FreeIpa version on the master server is - VERSION: 4.2.0 > > And on the replica server is - VERSION: 4.6.8 > > Please keep responses on the list. > > Oh geez, RHEL 7.2. Man that is ancient. > > You'll need to stop ntpd/chronyd if they are running and use the date > command to go back in time to when all the certificates are valid. > > Then run ipactl restart > > If all the services start ok and you can validate that things seem to be > working back in time (ipa user-show admin, ipa cert-show 1) then restart > the certmonger service and sit back and wait. It can take a bit to renew > everything. You can follow along by occasionally running getcert list. > > Once everything is in MONITORING you can return to present time, restart > ntpd/chronyd and run ipactl restart again. > > Then you need to focus on bringing these systems up-to-date. RHEL, and > therefore CentOS, 7 is EOL and 7.2 particularly so. You should have more > than one system running a CA too. You currently have a > single-point-of-failure. > > rob > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
