John Williams wrote:
> 
>> You are going way to far back in time AFAICT. The certs expired on April
>> 5 of this year so you don't need to go back to 2014. Just go back to
>> April 3 or 4.
> 
>> You'll also need to restart IPA before kicking certmonger ipactl restart
> 
>> rob
> 
> 
> 
> 
> *******  SNIP *******
> 
> Thanks!!
> 
> 
> Following your advice, it looks like only one of the eight certificates
> are now monitoring.  Check out the following:

It's impossible to see what is going on with this output, other than the
fact that your hostname seems to be using the shortname rather than FQDN
(or order is bad in /etc/hosts), based on the error for the cert in
MONITORING.

rob

> 
> 
> [root@ipa ~]# getcert list | grep -A1 status
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa.infra.idef:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
> --
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will
> retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: EXCEPTION (Invalid Credential.)).
> --
> status: CA_UNREACHABLE
> ca-error: Server at https://ipa.infra.idef/ipa/xml failed request, will
> retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: EXCEPTION (Invalid Credential.)).
> --
> status: MONITORING
> ca-error: Server at https://ipa.infra.idef/ipa/xml denied our request,
> giving up: 2100 (RPC failed at server.  Insufficient access: hostname in
> subject of request 'ipa.infra.idef' does not match principal hostname
> 'ipa').
> 
> How can I get the remaining certs fixed as well?  Thanks in advance.
> 
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to