Joshua J. Kugler wrote:
So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot
connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial':
[Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).
I thought you said in a different thread that it wasn't the CA that was
expired, but the tomcat cert.
Figured out that it uses the certs in /var/lib/pki-ca/alias.
I tried adding it to cert monger:
# ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n
New tracking request "CAServerCert" added.
But ipa-getcert list now tells me:
Request ID 'CAServerCert':
key pair storage: type=NSSDB,location='/var/lib/pki-
Okie dokie...where might I be able to find the PIN for the cert? I see that
the certs for httpd and slapd have a path to a pinfile, but I can't find
anything like that for the CA cert. I'm quite stuck. This expired cert, I'm
pretty sure, is what is preventing me from using this machine to migrate to a
new 3.0 machine (via replication).
Any ideas how to get the CA cert renewed?
I know how to generate a CSR and a cert, but I'm not sure 1) how I would add
it into the cert DB, and 2) how I can add it without invalidating all my other
certmonger in F-17 doesn't know how to renew the CA-related
certificates. We fixed this in the IPA 3.1 timeframe. I'm not sure if
the certmonger requires dogtag 10 for this feature or not, but it may.
You'll want to upgrade to 3.1+ if you can.
So if it is just the tomcat cert that is expired, then for simplicity
I'd set the time back on both systems (you'll need to kill ntp) to when
the cert is valid and try that. I have the feeling you've already done
this, but it is unclear what exactly you've tried.
Freeipa-users mailing list