Hi Peter,
this is generally good info, and all the cleanups you mention below are
worth doing.
I just want to mention that if someone is in a pinch and needs to
prioritize operation that the only fixes that are really necessary are
those that involve certificate chains sent from servers to
I'm putting this out there to help others if they need it, but be wary as the
following caveats apply:
1. I am not an expert in FreeIPA. Make a backup or snapshot if
possible. For nssdb stuff, you can just tar up those directories for a backup
before munging the data in there.
Thanks for the reply. We are unfortunately still on 4.6.5, so they'll manually
have to be removed.
thanks for the pointer to the other discussion,
Pete
___
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an
On 6/4/20 9:21 PM, Peter Lewis via FreeIPA-users wrote:
On May 30, 2020, the AddTrust CA expired as a CA. I'll get to the IPA issue
after a bit of background in case everyone is not familiar. The external certs
we're using are from InCommon and were cross signed by AddTrust and when we
Also, sorry for the followup, but I forgot to mention.
All services and communication seem to be working with the exception of the
following:
1. The joining new servers to IPA as the downloads the bundle for path A still
and puts in in /etc/ipa/ca.crt which will then fail on the API calls