Matt Chesler wrote:
Hi all,

Our IPA instance started acting strangely earlier today.  I restarted
the IPA service on the primary node and things seemed to return to
normal.  Over the course of the day, we decided to add a third IPA
server to our environment.  When I attempted to perform the
ipa-replica-prepare, I received the following error:

[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.

After some additional digging, I discovered that several certs appear to
have expired recently, despite the fact that auto-renew appears to be
enabled.  The original node no longer exists.  All of the posts I seem
to be able to find indicate that I need the CSR from the original host.
  How can I renew my IPA certs without the original master?  Below is
the scrubbed output of "getcert list".

The original node is the one configured to do the renewal. See http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to