[Freeipa-users] Re: expired Server-cert

from CS.cfg selftests.container.order.startup=SystemCertsVerification:critical, CAPresence:critical More observations the following appears in /var/lib/pki/pki-tomcat/logs/ca/selftest.log during the pki-server cert-fix failure 0.localhost-startStop-1 - [25/May/2022:05:13:11 PDT] [20] [1]

[Freeipa-users] Re: expired Server-cert

This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1779984 'pki-server cert-fix' fails when CS.cfg parameter selftests.container.order.startup not present. This also causes failures in 'ipa-cert-fix' I'd check to see if that value exists and what it's value is, if any. rob Serge

[Freeipa-users] Re: expired Server-cert

The certificate renewed via ipa-cert-fix was Server-Cert cert-pki-ca related to my domain Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption Issuer: "CN=Certificate Authority,O=my domain" Validity: Not Before: Fri May 20 13:45:09 2022 Not After : Sat

[Freeipa-users] Re: expired Server-cert

Serge Krawczenko via FreeIPA-users wrote: > Hello again > I was so hoping the story to end but nope. > > ipa-cert-fix managed to renew one of the certs > but failed on the following ones > > > Enter "yes" to proceed: yes > Proceeding. > ipapython.ipautil: DEBUG: Starting external process >

[Freeipa-users] Re: expired Server-cert

Hello again I was so hoping the story to end but nope. ipa-cert-fix managed to renew one of the certs but failed on the following ones Enter "yes" to proceed: yes Proceeding. ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=pki-server cert-fix --ldapi-socket

[Freeipa-users] Re: expired Server-cert

Serge Krawczenko wrote: > Great, Rob > > I've gotten nearly everything just couple minor clarifications: > > You're running into issue https://pagure.io/freeipa/issue/8600 which was > fixed in 4.9+ so you don't have it. You'll need to work around it in the > ipa_cert_fix.py code. >

[Freeipa-users] Re: expired Server-cert

Great, Rob I've gotten nearly everything just couple minor clarifications: You're running into issue https://pagure.io/freeipa/issue/8600 which was > fixed in 4.9+ so you don't have it. You'll need to work around it in the > ipa_cert_fix.py code. > > Florence mentioned nsSSLPersonalitySSL:

[Freeipa-users] Re: expired Server-cert

Serge Krawczenko via FreeIPA-users wrote: > Grateful for your response, Rob > > On Tue, May 17, 2022 at 9:41 PM Rob Crittenden > wrote: > > > > sh-4.2# ipa --version > > VERSION: 4.6.8, API_VERSION: 2.237 > > > > ipa-cert-fix fails with  The

[Freeipa-users] Re: expired Server-cert

Grateful for your response, Rob On Tue, May 17, 2022 at 9:41 PM Rob Crittenden wrote: > > > sh-4.2# ipa --version > > VERSION: 4.6.8, API_VERSION: 2.237 > > > > ipa-cert-fix fails with The ipa-cert-fix command failed, exception: > > RuntimeError: Failed to get Server-Cert > > Indeed, it

[Freeipa-users] Re: expired Server-cert

Serge Krawczenko via FreeIPA-users wrote: > Thank you, Florence > > Things are getting worse... > > I'm on the following version and CentOS 7 and two replicas > > sh-4.2# ipa --version > VERSION: 4.6.8, API_VERSION: 2.237 > > ipa-cert-fix fails with  The ipa-cert-fix command failed, exception:

[Freeipa-users] Re: expired Server-cert

Thank you, Florence Things are getting worse... I'm on the following version and CentOS 7 and two replicas sh-4.2# ipa --version VERSION: 4.6.8, API_VERSION: 2.237 ipa-cert-fix fails with The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert Indeed, it doesn't

[Freeipa-users] Re: expired Server-cert

Hi, On Mon, May 16, 2022 at 5:19 PM Serge Krawczenko via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Greetings,all > > I've been observing multiple issues for some time, unable to enroll new > clients etc. > Finally found out that the possible root cause is the expired