Hey Rob,
I have an update that'll close out this thread.
We discovered that the code in the pki-ca was looking for a CN of the IPA RA's
serial number in ou=certificateRepository,ou=ca,o=ipaca. This didn't exist and
we realized it might be part of the problem. It turns out that it was which
Yeah, I was referring to the instructions in
https://www.freeipa.org/page/Certmonger#Manually_renew_a_certificate which
discuss manual renewal of a certificate which is interesting to us since the
all the nodes in the IPA cluster on prod have the same cert that's expiring on
Tuesday.
For what
Hey Rob,
You may recall earlier when I said that we wound up pulling an expired cert on
one of our staging IPA replicas after updating the xmlrpc_server variable to
point to a different host. It's not clear to us how best to fix that cert
(although I suppose we could roll back time on the
Cool. We'll work on this some more and let you know how The Gathering goes.
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Thanks, Rob.
Unfortunately my test in staging resulted in an expired dogtag cert. The
staging environment didn't have any certificates that were due to expire soon
so I updated the xmlrpc_server variable on one of the four IPA hosts we have to
another one in the same AWS region and restarted
Hey Rob,
It's the NSSDB cert. Here's some console output that might be helpful.
PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358
Request ID '20150827000358':
status: MONITORING
ca-error: Server at
Hi all,
We run IPA 3.0.0 and have a cert on the CA master expiring in about 10 days.
The problem is that we mistakenly provisioned the last cert using an old
hostname which means that automatically renewing the cert fails, and the IPA
cert checks we run fails with...
ca-error: Server at
