Thomas Sailer wrote:
I have a few certificates that fail to be updated, for example the ldap
and http certificates. If I read the error message from getcert list
(see below) correctly, then the contents of the pinfiles are incorrect.
How do I fix this?
Thanks,
Tom
Does this work?
# ipa cert-show 1
I'm geussing it doesn't.
The nickname ipaCert in /etc/httpd/alias is the RA agent cert used to
authenticate to dogtag when doing certificate operations. I suspect that
its value hasn't been updated in the dogtag LDAP database.
A quick way to tell is:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep -i serial
# ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca description
This is assuming you've got a 2-instance installation where there is a
separate 389-ds instance for IPA and the CA. If you have a newer install
then the port isn't necessary.
If the serial number from certutil doesn't match the second
colon-separated value then that explains it.
You can see how to update this value at
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
_______________________________________________
Freeipa-users mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/freeipa-users