I have been experiencing some issues with a FreeIPA instance that I 
maintain. More specifically pki-tomcat has not started since around the time 
it’s certificate renewed. I submitted this bug report, however a solution has yet to be 
        This installation does have one instresting issue that I believe may be 
causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA 
CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA 
certificates and when I run openssl verify with ether of them as the CA and the 
new subsystem certificate I get an OK message. I also believe that this issue 
is causing me not to be able to do a ipa-certupdate on the broken IPA server. 
Is there a way to to clean this up, should I try renewing the CA certificate 
and get rid of the old LDAP entries?

Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to