Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote: On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with that, sorry for the oversight. You could try updating to 3.0. If you do decide to try upgrading I think I'd go back in time when all the certs are valid first as some services will be restarted during the upgrade and we don't want the upgrade blowing up in the middle because of expired certs. rob I'll give the upgrade a go, say I go back to the older date and IPA starts fine. Won't the certs still have a hard expiry date on them, so I'll need to follow the http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure? It depends in part how far back in time you go. I'd go back a day or two before the oldest date (not all certs expire at the same time). The upgrade will configure automatic renewal. I think what I'd recommend is do the upgrade then restart the certmonger service on the machine. Run `getcert list` to check the status of the certs. After the restart they should all renew. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:15:50AM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with that, sorry for the oversight. You could try updating to 3.0. If you do decide to try upgrading I think I'd go back in time when all the certs are valid first as some services will be restarted during the upgrade and we don't want the upgrade blowing up in the middle because of expired certs. rob I'll give the upgrade a go, say I go back to the older date and IPA starts fine. Won't the certs still have a hard expiry date on them, so I'll need to follow the http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure? It depends in part how far back in time you go. I'd go back a day or two before the oldest date (not all certs expire at the same time). The upgrade will configure automatic renewal. I think what I'd recommend is do the upgrade then restart the certmonger service on the machine. Run `getcert list` to check the status of the certs. After the restart they should all renew. rob Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to tell them to update, or let the server roll over until it hits Jan 14? Server: Red Hat Enterprise Linux Server release 6.5 (Santiago) ipa-server-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 --- ~/Scriptsdate Sat Jan 11 19:29:02 EST 2014 --- ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 --- Ran script: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done --- auditSigningCert cert-pki-ca Not After : Thu Jul 10 07:45:42 2014 Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Fri Jan 01 07:44:43 2016 subsystemCert cert-pki-ca Not After : Fri Jan 01 07:44:44 2016 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 --- The apache cert did update which is good! ~/Scriptscertutil -L -d /etc/httpd/alias
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote: Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to tell them to update, or let the server roll over until it hits Jan 14? Server: Red Hat Enterprise Linux Server release 6.5 (Santiago) ipa-server-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 --- ~/Scriptsdate Sat Jan 11 19:29:02 EST 2014 --- ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 --- Ran script: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done --- auditSigningCert cert-pki-ca Not After : Thu Jul 10 07:45:42 2014 Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Fri Jan 01 07:44:43 2016 subsystemCert cert-pki-ca Not After : Fri Jan 01 07:44:44 2016 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 --- The apache cert did update which is good! ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 cya Craig For those not yet renewed I'd do a getcert list to find them and getcert resubmit -i id to force renewal. The CA won't start without a valid audit cert. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Wed, Jan 29, 2014 at 09:22:35PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to tell them to update, or let the server roll over until it hits Jan 14? Server: Red Hat Enterprise Linux Server release 6.5 (Santiago) ipa-server-3.0.0-37.el6.x86_64 ipa-client-3.0.0-37.el6.x86_64 --- ~/Scriptsdate Sat Jan 11 19:29:02 EST 2014 --- ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 --- Ran script: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done --- auditSigningCert cert-pki-ca Not After : Thu Jul 10 07:45:42 2014 Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Fri Jan 01 07:44:43 2016 subsystemCert cert-pki-ca Not After : Fri Jan 01 07:44:44 2016 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 --- The apache cert did update which is good! ~/Scriptscertutil -L -d /etc/httpd/alias -n ipaCert | grep After Not After : Fri Jan 01 07:44:45 2016 cya Craig For those not yet renewed I'd do a getcert list to find them and getcert resubmit -i id to force renewal. The CA won't start without a valid audit cert. rob Thanks for all the help, looks like all is fixed. I moved the dates back to normal and all the services are working :) I did notice the auditSigningCert cert-pki-ca has two certificates, one old one and a new one. The getcert list command is only showing the new one, so I figure all is well. auditSigningCert cert-pki-ca Certificate: Validity: Not Before: Sat Jan 11 07:45:42 2014 Not After : Thu Jul 10 07:45:42 2014 Data: Validity: Not Before: Wed Jan 25 06:45:05 2012 Not After : Tue Jan 14 06:45:05 2014 cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
craig.free...@noboost.org wrote: On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with that, sorry for the oversight. You could try updating to 3.0. If you do decide to try upgrading I think I'd go back in time when all the certs are valid first as some services will be restarted during the upgrade and we don't want the upgrade blowing up in the middle because of expired certs. rob ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Tue, Jan 28, 2014 at 01:25:56PM -0500, Rob Crittenden wrote: craig.free...@noboost.org wrote: On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig You need certmonger-0.58-1 or higher to get the dogtag-ipa-renew-agent CA and other fixed. I'll update the wiki with that, sorry for the oversight. You could try updating to 3.0. If you do decide to try upgrading I think I'd go back in time when all the certs are valid first as some services will be restarted during the upgrade and we don't want the upgrade blowing up in the middle because of expired certs. rob I'll give the upgrade a go, say I go back to the older date and IPA starts fine. Won't the certs still have a hard expiry date on them, so I'll need to follow the http://www.freeipa.org/page/IPA_2x_Certificate_Renewal procedure? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Thu, Jan 23, 2014 at 09:21:54AM -0500, Rob Crittenden wrote: Alexander Bokovoy wrote: On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. For 2.x you want http://www.freeipa.org/page/IPA_2x_Certificate_Renewal rob Just running into a couple of issues with then manual SSL cert process; 1) ERROR when telling certmonger about all the CA certificates #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do echo $nickname certutil -L -d /var/lib/pki-ca/alias -n ${nickname} | grep -i after done #Result: auditSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 ocspSigningCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 subsystemCert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 Server-Cert cert-pki-ca Not After : Tue Jan 14 06:45:05 2014 #Command: for nickname in auditSigningCert cert-pki-ca ocspSigningCert cert-pki-ca subsystemCert cert-pki-ca Server-Cert cert-pki-ca do /usr/bin/getcert start-tracking -d /var/lib/pki-ca/alias -n ${nickname} -c dogtag-ipa-renew-agent -P 70511423 done #Result: No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. No CA with name dogtag-ipa-renew-agent found. 2)Upgrade instead? I could potentionally upgrade the ipa-server to 3.0.0-37.el6, would this version be able to automatically update the certificates? cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Certificate format error: [Errno -8018]
Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! cya Craig ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Certificate format error: [Errno -8018]
On Thu, 23 Jan 2014, craig.free...@noboost.org wrote: Hi Guys, I'm sure this is an easy issue to fix! First the specs; Red Hat Enterprise Linux Server release 6.3 (Santiago) ipa-client-2.2.0-16.el6.x86_64 ipa-server-2.2.0-16.el6.x86_64 Issue: When I click on the hosts TAB from inside the Identity Managemnt GUI, I get the following error; * Certificate format error: [Errno -8018] None (repeated many times) * Cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -8018] None Also seen this error; cannot connect to 'https://sysvm-ipa.teratext.saic.com.au:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired. Any advise would be greatly appreciated! http://www.freeipa.org/page/Howto/CA_Certificate_Renewal Since you have FreeIPA before 3.4, you need to follow manual procedure outlined on that page. 2.2 might also be a bit different than 3.x but this is a starting point. -- / Alexander Bokovoy ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users