> I'm asking you to compare because it's unexpected to see a subject
> CN=localhost for the IPA CA. Someone has probably messed up with some
> commands and replaced the original IPA CA with a wrong one in the
> /etc/pki/pki-tomcat/alias database. If that's the case, we can put the
> right CA back
Hi,
I would start by doing a backup of the NSS database (save the directory and
files from /etc/pki/pki-tomcat/alias).
Then remove the wrong cert using:
certutil -D -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca'
and install the good one using
certutil -A -d /etc/pki/pki-tomcat/alia
> I'm asking you to compare because it's unexpected to see a subject
> CN=localhost for the IPA CA. Someone has probably messed up with some
> commands and replaced the original IPA CA with a wrong one in the
> /etc/pki/pki-tomcat/alias database. If that's the case, we can put the
> right CA back w
Hi,
On Thu, Nov 17, 2022 at 7:59 PM Sean McLennan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
>
> > ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11
> but
> > it definitely looks wrong, unless IPA was installed with custom (and
> > puzzlin) options: sub
I feel like this output from "ipa-certupdate -v" is relevant:
ipapython.ipautil: DEBUG: stderr=
ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request
'20201114211109'
ipalib.install.certmonger: DEBUG: certmonger request is in state
dbus.String(u'GENERATING_CSR', variant_level=
> ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but
> it definitely looks wrong, unless IPA was installed with custom (and
> puzzlin) options: subject CN=localhost.
>
> How was IPA installed? The default settings would install a self-signed CA
> with subject CN=Certifica
Hi,
On Thu, Nov 17, 2022 at 6:22 PM Sean McLennan via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list"
> results correctly? When it says CA_UNREACHABLE because the cert expired,
> isn't that the CA Cert?
>
> Nu
Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list"
results correctly? When it says CA_UNREACHABLE because the cert expired, isn't
that the CA Cert?
Number of certificates and requests being tracked: 9.
Request ID '20201114211025':
status: MONITORING
stuck: n
Oh. :P Well isn't that embarrassing.
I guess it's the server certificate then?
ipa: ERROR: cannot connect to 'https://ipa01./ipa/json': [SSL:
CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727)
___
FreeIPA-users mailing list -- freeipa-u
Sean McLennan via FreeIPA-users wrote:
> Went onto my IPA server today to discover the certificate had not been
> automatically renewed. It's a self-signed cert.
>
> I set the date back before the expiry and tried:
> ipa-cacert-manage renew
>
> which results in:
>
> 'NoneType' object has no att
10 matches
Mail list logo