I have followed Redhat official documentation, https://access.redhat.com/solutions/643753 for certificate renewal, which says *add: usercertificate. (step 12)*
While on the other hand FreeIPA official documentaion http://www.freeipa.org/page/IPA_2x_Certificate_Renewal , say to *add: usercertificate;binary* Just wondering if we need to* add *the certificate? or* replace* the existing certificate and which format do we need to use? *pem* or *der*. We already successfully renewed the certificates about months back, but they were expired about 6 months back and we were not able to renew till now, and is affected our production environment. Pleas help us. On Tue, Jul 19, 2016 at 9:27 AM, Linov Suresh <linov.sur...@gmail.com> wrote: > We have cloned and created another virtual server from the template. > Surprisingly this server certificates were also expired at the same time as > the previous, just lasted for a day. > This issue has something to do with the kerberos tickets? > > I am new to IPA and your help is highly appreciated. > > On Mon, Jul 18, 2016 at 12:37 PM, Linov Suresh <linov.sur...@gmail.com> > wrote: > >> *Update: my webserver and LDAP certificates were expired at 2016-07-18 >> 15:54:36 UTC and the certificates are in CA_UNREACHABLE state.* >> >> >> *Could you please help us? * >> >> [root@caer tmp]# getcert list >> Number of certificates and requests being tracked: 8. >> Request ID '20111214223243': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> * expires: 2016-07-18 15:54:36 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223300': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> * expires: 2016-07-18 15:54:52 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20111214223316': >> status: CA_UNREACHABLE >> ca-error: Server failed request, will retry: -504 (libcurl failed >> to execute the HTTP POST transaction. Peer certificate cannot be >> authenticated with known CA certificates). >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> *expires: 2016-07-18 15:55:04 UTC* >> eku: id-kp-serverAuth >> pre-save command: >> post-save command: >> track: yes >> auto-renew: yes >> Request ID '20130519130741': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=CA Audit,O=TELOIP.NET >> expires: 2017-10-13 14:10:49 UTC >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130742': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=OCSP Subsystem,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-OCSPSigning >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130743': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=CA Subsystem,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20130519130744': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >> Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=RA Subsystem,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> Request ID '20130519130745': >> status: MONITORING >> ca-error: Internal error: no response to " >> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >> ". >> stuck: no >> key pair storage: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >> certificate: >> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-renew-agent >> issuer: CN=Certificate Authority,O=TELOIP.NET >> subject: CN=caer.teloip.net,O=TELOIP.NET >> expires: 2017-10-13 14:09:49 UTC >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >> TELOIP.NET" >> track: yes >> auto-renew: yes >> >> On Mon, Jul 18, 2016 at 12:00 PM, Linov Suresh <linov.sur...@gmail.com> >> wrote: >> >>> Yes, PKI is running and I don't see any errors in selftests, I have >>> followed https://access.redhat.com/solutions/643753 and restarted the >>> PKI in step 10. >>> >>> The only change which I made was clean up userCertificate;binary before >>> adding new userCertificate in LDAP, which is step 12. >>> >>> [root@caer ~]# /etc/init.d/pki-cad status >>> pki-ca (pid 8634) is running... [ OK ] >>> Unsecure Port = http://caer.teloip.net:9180/ca/ee/ca >>> Secure Agent Port = https://caer.teloip.net:9443/ca/agent/ca >>> Secure EE Port = https://caer.teloip.net:9444/ca/ee/ca >>> Secure Admin Port = https://caer.teloip.net:9445/ca/services >>> EE Client Auth Port = https://caer.teloip.net:9446/ca/eeca/ca >>> PKI Console Port = pkiconsole https://caer.teloip.net:9445/ca >>> Tomcat Port = 9701 (for shutdown) >>> >>> PKI Instance Name: pki-ca >>> >>> PKI Subsystem Type: Root CA (Security Domain) >>> >>> Registered PKI Security Domain Information: >>> >>> ========================================================================== >>> Name: IPA >>> URL: https://caer.teloip.net:9445 >>> >>> ========================================================================== >>> [root@caer ~]# >>> [root@caer ~]# tail -f /var/log/pki-ca/selftests.log >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading all self test plugin logger parameters >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading all self test plugin instances >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading all self test plugin instance parameters >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading self test plugins in on-demand order >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: >>> loading self test plugins in startup order >>> 8634.main - [18/Jul/2016:11:46:20 EDT] [20] [1] SelfTestSubsystem: Self >>> test plugins have been successfully loaded! >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: >>> Running self test plugins specified to be executed at startup: >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] CAPresence: CA is >>> present >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SystemCertsVerification: >>> system certs verification success >>> 8634.main - [18/Jul/2016:11:46:21 EDT] [20] [1] SelfTestSubsystem: All >>> CRITICAL self test plugins ran SUCCESSFULLY at startup! >>> >>> Your help is highly appreciated! >>> >>> >>> Linov Suresh >>> >>> 70 Forest Manor Rd. >>> Toronto >>> ON M2J 0A9 >>> Mobile: +1 647 406 9438 >>> Linkedin: ca.linkedin.com/in/linov/ >>> Website: http://mylinuxthoughts.blogspot.com >>> >>> >>> On Mon, Jul 18, 2016 at 10:50 AM, Petr Vobornik <pvobo...@redhat.com> >>> wrote: >>> >>>> On 07/18/2016 05:45 AM, Linov Suresh wrote: >>>> > Thanks for the update Rob. I went back to Jan 20, 2016, restarted CA >>>> and >>>> > certmonger. Look like certificates were renewed. But I'm getting a >>>> different >>>> > error now, >>>> > >>>> > *ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>>> ".* >>>> >>>> Is PKI running? When you change the time, does restart of IPA help? >>>> >>>> > >>>> > [root@caer ~]# getcert list >>>> > Number of certificates and requests being tracked: 8. >>>> > Request ID '20111214223243': >>>> > status: MONITORING >>>> > stuck: no >>>> > key pair storage: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>>> > Certificate DB',pinfile='/etc/dirsrv/slapd-TELOIP-NET//pwdfile.txt' >>>> > certificate: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-TELOIP-NET',nickname='Server-Cert',token='NSS >>>> > Certificate DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>>> TELOIP.NET >>>> > <http://TELOIP.NET> >>>> > expires: 2016-07-18 15:54:36 UTC >>>> > eku: id-kp-serverAuth >>>> > pre-save command: >>>> > post-save command: >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20111214223300': >>>> > status: MONITORING >>>> > stuck: no >>>> > key pair storage: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> Certificate >>>> > DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' >>>> > certificate: >>>> > >>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>> Certificate >>>> > DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>>> TELOIP.NET >>>> > <http://TELOIP.NET> >>>> > expires: 2016-07-18 15:54:52 UTC >>>> > eku: id-kp-serverAuth >>>> > pre-save command: >>>> > post-save command: >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20111214223316': >>>> > status: MONITORING >>>> > stuck: no >>>> > key pair storage: >>>> > >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > >>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>> > Certificate DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>>> TELOIP.NET >>>> > <http://TELOIP.NET> >>>> > expires: 2016-07-18 15:55:04 UTC >>>> > eku: id-kp-serverAuth >>>> > pre-save command: >>>> > post-save command: >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130741': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=61&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=CA Audit,O=TELOIP.NET <http://TELOIP.NET> >>>> > expires: 2017-10-13 14:10:49 UTC >>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > "auditSigningCert cert-pki-ca" >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130742': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=60&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=OCSP Subsystem,O=TELOIP.NET <http://TELOIP.NET> >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-OCSPSigning >>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > "ocspSigningCert cert-pki-ca" >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130743': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=62&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=CA Subsystem,O=TELOIP.NET <http://TELOIP.NET> >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>> > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>> > "subsystemCert cert-pki-ca" >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130744': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=64&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate >>>> > DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>> Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=RA Subsystem,O=TELOIP.NET <http://TELOIP.NET> >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: >>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> > track: yes >>>> > auto-renew: yes >>>> > Request ID '20130519130745': >>>> > status: MONITORING >>>> > ca-error: Internal error: no response to >>>> > " >>>> http://caer.teloip.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=63&renewal=true&xml=true >>>> ". >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> > cert-pki-ca',token='NSS Certificate DB',pin='297100916664' >>>> > certificate: >>>> > type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>> > cert-pki-ca',token='NSS Certificate DB' >>>> > CA: dogtag-ipa-renew-agent >>>> > issuer: CN=Certificate Authority,O=TELOIP.NET < >>>> http://TELOIP.NET> >>>> > subject: CN=caer.teloip.net <http://caer.teloip.net>,O= >>>> TELOIP.NET >>>> > <http://TELOIP.NET> >>>> > expires: 2017-10-13 14:09:49 UTC >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: >>>> > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv " >>>> TELOIP.NET >>>> > <http://TELOIP.NET>" >>>> > track: yes >>>> > auto-renew: yes >>>> > [root@caer ~]# >>>> > >>>> > Your help is highly appreciated! >>>> > >>>> > >>>> > >>>> > On Fri, Jul 15, 2016 at 5:08 PM, Rob Crittenden <rcrit...@redhat.com >>>> > <mailto:rcrit...@redhat.com>> wrote: >>>> > >>>> > Linov Suresh wrote: >>>> > >>>> > I logged into my IPA master, and found that the cert had >>>> expired again, >>>> > we renewed these certificates about 18 months ago. >>>> > >>>> > Our environment is CentOS 6.4 and IPA 3.0.0-26. >>>> > >>>> > >>>> > I followed the Redhat documentation,How do I manually >>>> renew Identity >>>> > Management (IPA) certificates after they have expired? >>>> (Master IPA >>>> > Server), https://access.redhat.com/solutions/643753 but >>>> no luck. >>>> > >>>> > >>>> > I have also changed the directive "NSSEnforceValidCerts off" >>>> in >>>> > /etc/httpd/conf.d/nss.conf and the value of >>>> nsslapd-validate-cert is warn. >>>> > >>>> > ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' >>>> -w ******* >>>> > -b cn=config | grep nsslapd-validate-cert >>>> > >>>> > nsslapd-validate-cert: warn >>>> > >>>> > Here is my getcert list, >>>> > >>>> > [root@caer ~]# getcert list >>>> > >>>> > >>>> > It looks like your CA subsystem certificates all renewed >>>> successfully it is >>>> > just the webserver and LDAP certificates that need renewing so >>>> that's good. >>>> > >>>> > What I'd do is go back in time again to say Jan 20, 2016 and >>>> restart >>>> > certmonger. That should make it retry the renewals. >>>> > >>>> > rob >>>> > >>>> > >>>> > >>>> > >>>> >>>> >>>> >>>> -- >>>> Petr Vobornik >>>> >>> >>> >> >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project