Matt Chesler wrote:
Our IPA instance started acting strangely earlier today. I restarted
the IPA service on the primary node and things seemed to return to
normal. Over the course of the day, we decided to add a third IPA
server to our environment. When I attempted to perform the
ipa-replica-prepare, I received the following error:
[Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
certificate as expired.
After some additional digging, I discovered that several certs appear to
have expired recently, despite the fact that auto-renew appears to be
enabled. The original node no longer exists. All of the posts I seem
to be able to find indicate that I need the CSR from the original host.
How can I renew my IPA certs without the original master? Below is
the scrubbed output of "getcert list".
The original node is the one configured to do the renewal. See
Freeipa-users mailing list