I got really busy sorry about the delay. It was a coworker who renewed our
CA cert during an upgrade from Centos 6 to Centos 7. I remember him saying
during the upgrade the CA broke and he had to mess around with it.
According to him "Pretty sure I did the walk the clock back thing, but
it's been so long I don't remember." As for pki-tomcat it certs where
renewed automatically.
I have tried the work around that was suggested on the open bug and that
did not fix my issue.
On Thu, 9 Feb 2017, Rob Crittenden wrote:
Joseph Vandermaas wrote:
All
I have been experiencing some issues with a FreeIPA instance that I
maintain. More specifically pki-tomcat has not started since around the time
it’s certificate renewed. I submitted this bug report
https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be
found.
This installation does have one instresting issue that I believe may be
causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA
CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA
certificates and when I run openssl verify with ether of them as the CA and the
new subsystem certificate I get an OK message. I also believe that this issue
is causing me not to be able to do a ipa-certupdate on the broken IPA server.
Is there a way to to clean this up, should I try renewing the CA certificate
and get rid of the old LDAP entries?
What did you do, as exactly as you can remember, to get the certificates
renewed?
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
