Thank you for the tip,

Just created new /root/cacerts.p12. Should I import it to the CA somehow or just restart the ipa server?

Will reset the new replicate vm to clean CentOS 7 installation without any leftovers from ipa-replica-install.

-- Jani West
On 24.2.2015 17:06, Rob Crittenden wrote:
West, Jani wrote:

Validity, status and serials seems to be fine. One interesting pick:
While the installation is not too old it might be installed initially
with FreeIpa 2.x That's why i have to use ldap port 7389 instead of 398.

# getcert list |grep expires
    expires: 2016-11-21 13:40:41 UTC
    expires: 2016-11-21 13:40:44 UTC
    expires: 2016-11-21 13:40:41 UTC
    expires: 2016-10-30 09:08:12 UTC
    expires: 2016-10-30 09:07:12 UTC
    expires: 2016-10-30 09:07:12 UTC
    expires: 2016-10-30 09:07:12 UTC
    expires: 2016-10-30 09:07:12 UTC
# getcert list -d /etc/httpd/alias -n ipaCert |egrep -i '(status|expires)'
    status: MONITORING
    expires: 2016-10-30 09:07:12 UTC
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
        Serial Number: 31 (0x1f)
# ldapsearch -x -h localhost -p 7389 -b uid=ipara,ou=People,o=ipaca
# extended LDIF
# LDAPv3
# base <uid=ipara,ou=People,o=ipaca> with scope subtree
# filter: (objectclass=*)
# requesting: description

# ipara, people, ipaca
dn: uid=ipara,ou=people,o=ipaca
description: 2;31;CN=Certificate Authority,O=WESTI;CN=IPA RA,O=WESTI

# search result
search: 2
result: 0 Success

# numResponses: 2
# numEntries: 1

I suspect you are bootstrapping the replica with expired certs. After
the failed install the certs probably still exist on the replica in
/var/lib/pki-ca/alias. Check the dates.

I think you needsto refresh /root/cacerts.p12 on the master you are
preparing the replica on. In newer IPA we regenerate this on-the-fly but
it isn't in 3.0. Use PKCS12Export to do this.


Manage your subscription for the Freeipa-users mailing list:
Go To for more info on the project

Reply via email to