So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot
connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial':
[Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).
Figured out that it uses the certs in /var/lib/pki-ca/alias.
I tried adding it to cert monger:
# ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n
New tracking request "CAServerCert" added.
But ipa-getcert list now tells me:
Request ID 'CAServerCert':
key pair storage: type=NSSDB,location='/var/lib/pki-
Okie dokie...where might I be able to find the PIN for the cert? I see that
the certs for httpd and slapd have a path to a pinfile, but I can't find
anything like that for the CA cert. I'm quite stuck. This expired cert, I'm
pretty sure, is what is preventing me from using this machine to migrate to a
new 3.0 machine (via replication).
Any ideas how to get the CA cert renewed?
I know how to generate a CSR and a cert, but I'm not sure 1) how I would add
it into the cert DB, and 2) how I can add it without invalidating all my other
Any help would be fantastic!
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: pedah...@gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A
Freeipa-users mailing list