I got really busy sorry about the delay. It was a coworker who renewed our
CA cert during an upgrade from Centos 6 to Centos 7. I remember him saying
during the upgrade the CA broke and he had to mess around with it.
According to him "Pretty sure I did the walk the clock back thing, but
it's been so long I don't remember." As for pki-tomcat it certs where
I have tried the work around that was suggested on the open bug and that
did not fix my issue.
On Thu, 9 Feb 2017, Rob Crittenden wrote:
Joseph Vandermaas wrote:
I have been experiencing some issues with a FreeIPA instance that I
maintain. More specifically pki-tomcat has not started since around the time
it’s certificate renewed. I submitted this bug report
https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be
This installation does have one instresting issue that I believe may be
causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA
certificates and when I run openssl verify with ether of them as the CA and the
new subsystem certificate I get an OK message. I also believe that this issue
is causing me not to be able to do a ipa-certupdate on the broken IPA server.
Is there a way to to clean this up, should I try renewing the CA certificate
and get rid of the old LDAP entries?
What did you do, as exactly as you can remember, to get the certificates
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project