Schrier, William (Contractor) via FreeIPA-users wrote: >> >> The ra-agent certificate is used to authenticate to the CA in order to >> issue certificates. If it is expired it will fail. So it can't renew >> itself or the PKINIT certificate. >> >> Perhaps try ipa-cert-fix again. >> >> rob > > Still fails with the same error as before: > > # ipa-cert-fix > Failed to get Server-Cert > The ipa-cert-fix command failed. >
Right. You'll need to get the serial number of the two certificates: # openssl x509 -serial -noout -in /var/lib/ipa/ra-agent.pem # openssl x509 -serial -noout -in /var/kerberos/krb5kdc/kdc.crt Then run pki-server cert-fix again specifying those serial numbers: # pki-server cert-fix --ldapi-socket /var/run/slapd-YOUR-REALM.socket --agent-uid ipara --extra-cert serial#1 --extra-cert serial#2 Restart certmonger to see the updated certificates. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
