Joseph Vandermaas wrote: > All > I have been experiencing some issues with a FreeIPA instance that I > maintain. More specifically pki-tomcat has not started since around the time > it’s certificate renewed. I submitted this bug report > https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to > be found. > This installation does have one instresting issue that I believe may be > causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA > CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid > CA certificates and when I run openssl verify with ether of them as the CA > and the new subsystem certificate I get an OK message. I also believe that > this issue is causing me not to be able to do a ipa-certupdate on the broken > IPA server. Is there a way to to clean this up, should I try renewing the CA > certificate and get rid of the old LDAP entries? >
What did you do, as exactly as you can remember, to get the certificates renewed? rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project