You are going way to far back in time AFAICT. The certs expired on April
5 of this year so you don't need to go back to 2014. Just go back to
April 3 or 4.
You'll also need to restart IPA before kicking certmonger ipactl restart
rob
*** SNIP ***
Thanks!!
Following your advice,
John Williams wrote:
You are going way to far back in time AFAICT. The certs expired on April
5 of this year so you don't need to go back to 2014. Just go back to
April 3 or 4.
You'll also need to restart IPA before kicking certmonger ipactl restart
rob
*** SNIP ***
[ snip ]
[root@ipa ~]# date
Thu Apr 10 00:13:51 EDT 2014
[root@ipa ~]# /etc/init.d/certmonger restart
Stopping certmonger: [ OK ]
Starting certmonger: [ OK ]
[root@ipa ~]#
You are going way to far back in
I've inhereted an IPA infrastructure for a group in my organization. So I've
got a RHEL instance with a IPA 3.0.0 server with expired certs.
[root@ipa ~]# rpm -qa | grep
ipa-serveripa-server-selinux-3.0.0-26.el6_4.2.x86_64ipa-server-3.0.0-26.el6_4.2.x86_64[root@ipa
~]#
[root@ipa ~]# getcert
On 04/10/2015 03:58 PM, John Williams wrote:
I've inhereted an IPA infrastructure for a group in my organization.
So I've got a RHEL instance with a IPA 3.0.0 server with expired certs.
[root@ipa ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
John Williams wrote:
I've inhereted an IPA infrastructure for a group in my organization. So
I've got a RHEL instance with a IPA 3.0.0 server with expired certs.
[root@ipa ~]# rpm -qa | grep ipa-server
ipa-server-selinux-3.0.0-26.el6_4.2.x86_64
ipa-server-3.0.0-26.el6_4.2.x86_64
[root@ipa
I'm looking at the following link for recovering expired certificates on
FreeeIPA 3.0.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a subsystemCert I do
not find one. I see the other three:
auditSigningCert cert-pki-ca
John Williams wrote:
I'm looking at the following link for recovering expired certificates on
FreeeIPA 3.0.0:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Problem is when Iook inside my /etc/pki-ca/CS.cfg file for a
subsystemCert I do not find one. I see the other three:
Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
auto-renew.
ipa-getcert list
Number of certificates and requests being tracked: 4.
Request ID '20110706215109':
status: MONITORING
stuck: no
key pair storage:
On Thu, May 02, 2013 at 10:59:11AM -0500, Toasted Penguin wrote:
Running FreeIPA 2.1.4 and ran into an issue where a Server-Cert did not
auto-renew.
ipa-getcert list
Number of certificates and requests being tracked: 4.
[snip]
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error:
On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
Nalin,
Thanks for your response. Running `hostname` does result in
ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/
Here is the output from the submit:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to https://ipa01.ctidata.net/ipa/xml;.
Fault -504: (libcurl failed to execute the HTTP POST transaction,
explaining: Peer certificate cannot be authenticated with known CA
On Thu, May 02, 2013 at 12:45:34PM -0500, Toasted Penguin wrote:
Here is the output from the submit:
/usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr
Submitting request to https://ipa01.ctidata.net/ipa/xml;.
Fault -504: (libcurl failed to execute the HTTP POST transaction,
/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
All the certs monitored by Certmonger show the same issuer.
Wasn't getting anything back when running the ipahost script you provided,
ran ipahost=`grep ^host= /etc/ipa/default.conf | cut -f2- -d=` and echo
$ipahost shows
On Thu, May 02, 2013 at 01:23:04PM -0500, Toasted Penguin wrote:
/etc/ipa/ca.crt was issued by O=CTIDATA.NET, CN=Certificate Authority
All the certs monitored by Certmonger show the same issuer.
Ok, good. (If that hadn't been the case, I wouldn't have had an
explanation to offer.)
Wasn't
Yes that helped fix 2012092520027 (thank you!!)
But I am still seeing an error with:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local host service using default
keytab.
stuck: yes
key pair storage:
Toasted Penguin wrote:
Yes that helped fix 2012092520027 (thank you!!)
But I am still seeing an error with:
Request ID '20120615190133':
status: CA_UNCONFIGURED
ca-error: Error setting up ccache for local host service using default
keytab.
stuck: yes
key pair storage:
17 matches
Mail list logo