Thomas Sailer wrote:
I have a few certificates that fail to be updated, for example the ldap
and http certificates. If I read the error message from getcert list
(see below) correctly, then the contents of the pinfiles are incorrect.
How do I fix this?
Does this work?
# ipa cert-show 1
I'm geussing it doesn't.
The nickname ipaCert in /etc/httpd/alias is the RA agent cert used to
authenticate to dogtag when doing certificate operations. I suspect that
its value hasn't been updated in the dogtag LDAP database.
A quick way to tell is:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep -i serial
# ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
This is assuming you've got a 2-instance installation where there is a
separate 389-ds instance for IPA and the CA. If you have a newer install
then the port isn't necessary.
If the serial number from certutil doesn't match the second
colon-separated value then that explains it.
You can see how to update this value at
Freeipa-users mailing list