I got really busy sorry about the delay. It was a coworker who renewed our CA cert during an upgrade from Centos 6 to Centos 7. I remember him saying during the upgrade the CA broke and he had to mess around with it. According to him "Pretty sure I did the walk the clock back thing, but it's been so long I don't remember." As for pki-tomcat it certs where renewed automatically.

I have tried the work around that was suggested on the open bug and that did not fix my issue.


On Thu, 9 Feb 2017, Rob Crittenden wrote:

Joseph Vandermaas wrote:
All
        I have been experiencing some issues with a FreeIPA instance that I 
maintain. More specifically pki-tomcat has not started since around the time 
it’s certificate renewed. I submitted this bug report 
https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be 
found.
        This installation does have one instresting issue that I believe may be 
causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA 
CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA 
certificates and when I run openssl verify with ether of them as the CA and the 
new subsystem certificate I get an OK message. I also believe that this issue 
is causing me not to be able to do a ipa-certupdate on the broken IPA server. 
Is there a way to to clean this up, should I try renewing the CA certificate 
and get rid of the old LDAP entries?


What did you do, as exactly as you can remember, to get the certificates
renewed?

rob
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to