Good morning Everyone,
I made little progress this weekend. I'm currently in a state where all my
service in the ipactl status command are running, but if I restart, the
pki-tomcatd service show netscape.ldap.LDAPException: Authentication failed
(48) in the debug ouput when executing ipactl -r
Hi,
in your previous email, the output of certutil shows that the new root CA
isn't trusted in some databases (flag is ,, instead of CT,C,C). You can
change the trust flags with certutil -M -t CT,C,C -d -n
.
The 2nd thing to take into account: if you change the date in the past in
order to renew
Good afternoon,
I was able to find a date where it's possible to start IPA services
successfully (2022-03-02).
Is it possible to clear IPA from bad certificates?
I see four "QC.LRTECH.CA IPA CA" certificates in:
certutil -L -d /etc/ipa/nssdb
certutil -L -d /etc/httpd/alias
certutil -L -d /etc
I suppose we tackle these one at a time.
The older CA certificate can be deleted eventually which will prevent it
from being re-added by ipa-certupdate. I think for now we defer on that.
What is the serial number for the two "QC.LRTECH.CA IPA CA"
certificates? Are they different? If not that woul
> On Fri, Oct 20, 2017 at 10:59:36AM -0700, Steve Dainard via FreeIPA-users
> wrote:
> You can add a principal alias to the service principal:
>
> % ipa service-add-principal HTTP/client1.ipadomain.com \
> HTTP/servicename.otherdomain.com
Why the HTTP/...? In our case, that didn't work.
> What is the serial number for the two "QC.LRTECH.CA IPA CA"
> certificates? Are they different? If not that would explain the Firefox
> error.
They are different:
Serial Number: 4098 (0x1002)
Serial Number: 00:8a:58:8a:64:a9:7d:dc:a0
> On the IPA server with the CA up, does ipa cert-show 1 wor
