[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-23 Thread Sean McLennan via FreeIPA-users
> I'm asking you to compare because it's unexpected to see a subject > CN=localhost for the IPA CA. Someone has probably messed up with some > commands and replaced the original IPA CA with a wrong one in the > /etc/pki/pki-tomcat/alias database. If that's the case, we can put the > right CA back

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-22 Thread Florence Blanc-Renaud via FreeIPA-users
Hi, I would start by doing a backup of the NSS database (save the directory and files from /etc/pki/pki-tomcat/alias). Then remove the wrong cert using: certutil -D -d /etc/pki/pki-tomcat/alias/ -n 'caSigningCert cert-pki-ca' and install the good one using certutil -A -d /etc/pki/pki-tomcat/alia

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-18 Thread Sean McLennan via FreeIPA-users
> I'm asking you to compare because it's unexpected to see a subject > CN=localhost for the IPA CA. Someone has probably messed up with some > commands and replaced the original IPA CA with a wrong one in the > /etc/pki/pki-tomcat/alias database. If that's the case, we can put the > right CA back w

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-18 Thread Florence Blanc-Renaud via FreeIPA-users
Hi, On Thu, Nov 17, 2022 at 7:59 PM Sean McLennan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > > > ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 > but > > it definitely looks wrong, unless IPA was installed with custom (and > > puzzlin) options: sub

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users
I feel like this output from "ipa-certupdate -v" is relevant: ipapython.ipautil: DEBUG: stderr= ipaclient.install.ipa_certupdate: DEBUG: resubmitting certmonger request '20201114211109' ipalib.install.certmonger: DEBUG: certmonger request is in state dbus.String(u'GENERATING_CSR', variant_level=

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users
> ^ This one (caSigningCert cert-pki-ca) is IPA CA and expires 2022-11-11 but > it definitely looks wrong, unless IPA was installed with custom (and > puzzlin) options: subject CN=localhost. > > How was IPA installed? The default settings would install a self-signed CA > with subject CN=Certifica

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Florence Blanc-Renaud via FreeIPA-users
Hi, On Thu, Nov 17, 2022 at 6:22 PM Sean McLennan via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list" > results correctly? When it says CA_UNREACHABLE because the cert expired, > isn't that the CA Cert? > > Nu

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users
Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list" results correctly? When it says CA_UNREACHABLE because the cert expired, isn't that the CA Cert? Number of certificates and requests being tracked: 9. Request ID '20201114211025': status: MONITORING stuck: n

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-17 Thread Sean McLennan via FreeIPA-users
Oh. :P Well isn't that embarrassing. I guess it's the server certificate then? ipa: ERROR: cannot connect to 'https://ipa01./ipa/json': [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:727) ___ FreeIPA-users mailing list -- freeipa-u

[Freeipa-users] Re: "ipa-cacert-manage renew" is failing

2022-11-16 Thread Rob Crittenden via FreeIPA-users
Sean McLennan via FreeIPA-users wrote: > Went onto my IPA server today to discover the certificate had not been > automatically renewed. It's a self-signed cert. > > I set the date back before the expiry and tried: > ipa-cacert-manage renew > > which results in: > > 'NoneType' object has no att