Re: [Freeipa-users] Replica created with expired certs

Hi Rob: First I wanted to thank you for all of your valuable input/tips. As you well know, everything about certs, certmonger, dogtag and FreeIPA can get very complicated - there’s no easy answer, so many things can go wrong :) But, your answers to my questions got me thinking, gave me some

Re: [Freeipa-users] Replica created with expired certs

Jim Richard wrote: Can I and how… delete all certs for all hosts I mean, we only use FreeIPA for user login/sssd That said, do we even need those certs? There is no simple answer, really. Yes, you can deleted all certs for all hosts (not recommended as some of those are for IPA services).

Re: [Freeipa-users] Replica created with expired certs

Jim Richard wrote: another interesting thing, my httpd/error_logs are constantly getting spammed with: (I removed the stuff between the single quotes) Notice those names don’t match, should they? Me thinks not since those “principal=“ items are ALMOST all hosts that no longer exist in the

Re: [Freeipa-users] Replica created with expired certs

Can I and how… delete all certs for all hosts I mean, we only use FreeIPA for user login/sssd That said, do we even need those certs? Jim Richard

Re: [Freeipa-users] Replica created with expired certs

another interesting thing, my httpd/error_logs are constantly getting spammed with: (I removed the stuff between the single quotes) Notice those names don’t match, should they? Me thinks not since those “principal=“ items are ALMOST all hosts that no longer exist in the FreeIPA system. I rare

Re: [Freeipa-users] Replica created with expired certs

hi, On Thu, Sep 29, 2016 at 2:11 PM, Rob Crittenden wrote: > Natxo Asenjo wrote: > >> hi Jim, >> >> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard > > wrote: >> >> Thanks Rob, that worked. >> >> Still on the subject

Re: [Freeipa-users] Replica created with expired certs

Natxo Asenjo wrote: hi Jim, On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard > wrote: Thanks Rob, that worked. Still on the subject of certs, any idea how to solve this error: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The

Re: [Freeipa-users] Replica created with expired certs

hi Jim, On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard wrote: > Thanks Rob, that worked. > > Still on the subject of certs, any idea how to solve this error: > > Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key > database is in an old, unsupported

Re: [Freeipa-users] Replica created with expired certs

Thanks Rob, that worked. Still on the subject of certs, any idea how to solve this error: Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an old, unsupported format. I see that in the gui when querying hosts as well as from cli when I ipa-show or

Re: [Freeipa-users] Replica created with expired certs

Jim Richard wrote: I have a master with apparently correct, non expired certs but when I create a new replica master I end up with expired certs. How is this possible, why and of course, how do I fix? I assume you are running IPA v3.0.0? The problem is that the root CA stash isn't updated

[Freeipa-users] Replica created with expired certs

I have a master with apparently correct, non expired certs but when I create a new replica master I end up with expired certs. How is this possible, why and of course, how do I fix? first set is the original master and the second is the certs I get on the new replica [root@sso-110:(NYM)