I got really busy sorry about the delay. It was a coworker who renewed our CA cert during an upgrade from Centos 6 to Centos 7. I remember him saying during the upgrade the CA broke and he had to mess around with it. According to him "Pretty sure I did the walk the clock back thing, but it's been so long I don't remember." As for pki-tomcat it certs where renewed automatically.

I have tried the work around that was suggested on the open bug and that did not fix my issue.

On Thu, 9 Feb 2017, Rob Crittenden wrote:

Joseph Vandermaas wrote:
        I have been experiencing some issues with a FreeIPA instance that I 
maintain. More specifically pki-tomcat has not started since around the time 
it’s certificate renewed. I submitted this bug report 
https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be 
        This installation does have one instresting issue that I believe may be 
causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA 
CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA 
certificates and when I run openssl verify with ether of them as the CA and the 
new subsystem certificate I get an OK message. I also believe that this issue 
is causing me not to be able to do a ipa-certupdate on the broken IPA server. 
Is there a way to to clean this up, should I try renewing the CA certificate 
and get rid of the old LDAP entries?

What did you do, as exactly as you can remember, to get the certificates

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to