James Hogarth wrote:

When trying to view a particular service (or the related host) I'm
getting the following error in the UI:

IPA Error 4301
Certificate operation cannot be completed: EXCEPTION (Certificate serial
number 0xffe000c not found)

Now I've seen similar issue in the past when replication has played up
and then using ipa-csmanage-replica and forcing syncs (or finding the
system the certificate is registered on and deleting it there) has
cleared it up...

Unfortunately I suspect this was on an old replica which no longer
exists given the error occurs on either of the pair I now have for this
host and service...

Given there's no 'ignore warning and remove what you can' so far as I
can see I suspect I'm going to have to delve into LDAP to unravel the
mess but does anyone know the relevant areas in both 389 servers to do
this as safely as possible and reduce the risk in doing so as much as

You can use ldapmodify to remove the userCertificate attribute from the host.

# kinit admin
# ldapmodify -Y GSSAPI
SASL/GSSAPI authentication started
SASL username: ad...@example.com
SASL data security layer installed.
dn: fqdn=pacer.example.com,cn=computers,cn=accounts,dc=example,dc=com
changetype: modify
delete: usercertificate

modifying entry "fqdn=pacer.example.com,cn=computers,cn=accounts,dc=example,dc=com"

You'll probably want to delete the certificate out of /etc/pki/nssdb on the host too.


Freeipa-users mailing list

Reply via email to