Hello Florence,
> the tool ipa-cacert-manage is used to renew IPA CA certificate, not the
> https certificate. It is a common mistake (IPA CA certificate is the
> certificate authority that has delivered the https and ldaps certificates).
Yes
> But now that you have renewed the CA certifica
On 07/11/2017 06:09 PM, Karl Forner via FreeIPA-users wrote:
Hello,
Today I realized that the https certificate for my freeipa web ui has
expired.
I tried to renew it using:
#ipa-cacert-manage renew
Renewing CA certificate, please wait
CA certificate successfully renewed
The ipa-cacert-manage
On Thu, Jul 13, 2017 at 10:55:39AM +0200, Karl Forner wrote:
> Hi,
>
>
> > To recover from this situation you should reinstall the old CA
> > certificate via ipa-cacert-manage. If you can't find a copy of that
> > lying around you should (for a self-signed IPA CA) be able to
> > retrieve it from
Hi,
> To recover from this situation you should reinstall the old CA
> certificate via ipa-cacert-manage. If you can't find a copy of that
> lying around you should (for a self-signed IPA CA) be able to
> retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca.
> (Probably cn=1,ou=cer
Yes. Yikes. Karl, I already replied to your earlier thread, but
`ipa-cacert-renew` was not the right command to run.
On Wed, Jul 12, 2017 at 09:38:44AM +, Callum Guy via FreeIPA-users wrote:
> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the CA
I think the problem is that the web UI certificate is not tracked by
Certmonger.
I compared with my replica server which seems alright:
master server (with expired certificate):
# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20150826135329':
status: MONITO
On Wed, Jul 12, 2017 at 11:38 AM, Callum Guy wrote:
> Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
> you have renewed the CA certificate which presumably would invalidate all
> existing certificates it has authorised.
>
I guess you are right. It rather seems that the
Ummm if I understand "man ipa-cacert-manage" correctly the it sounds like
you have renewed the CA certificate which presumably would invalidate all
existing certificates it has authorised.
>From your description it sounded like you just wanted the CA to issue a new
certificate for your IPA UI, thi
The problem is that the SSL certificate was not renewed by the
"ipa-cacert-manage renew" command.
So the http server refuses to start.
Hence my question: what is the correct way to renew the SSL certificate ??
Thanks.
___
FreeIPA-users mailing list --