I have been experiencing some issues with a FreeIPA instance that I
maintain. More specifically pki-tomcat has not started since around the time
it’s certificate renewed. I submitted this bug report
https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be
This installation does have one instresting issue that I believe may be
causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA
certificates and when I run openssl verify with ether of them as the CA and the
new subsystem certificate I get an OK message. I also believe that this issue
is causing me not to be able to do a ipa-certupdate on the broken IPA server.
Is there a way to to clean this up, should I try renewing the CA certificate
and get rid of the old LDAP entries?
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project