Linov Suresh wrote:
I logged into my IPA master, and found that the cert had expired again,
we renewed these certificates about 18 months ago.

Our environment is CentOS 6.4 and IPA 3.0.0-26.

  I followed the Redhat documentation,How do I manually renew Identity
  Management (IPA) certificates after they have expired? (Master IPA
  Server), but no luck.

I have also changed the directive "NSSEnforceValidCerts off" in
/etc/httpd/conf.d/nss.conf and the value of nsslapd-validate-cert is warn.

ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -w *******
-b  cn=config | grep  nsslapd-validate-cert

nsslapd-validate-cert: warn

Here is my getcert list,

[root@caer ~]# getcert list

It looks like your CA subsystem certificates all renewed successfully it is just the webserver and LDAP certificates that need renewing so that's good.

What I'd do is go back in time again to say Jan 20, 2016 and restart certmonger. That should make it retry the renewals.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to