Right, the processing route may not seem obvious. certmonger uses the server
from /etc/ipa/default.conf. This server does not necessarily need to also run
CA, we count with that option.
When certmonger wants to renew or request a certificate, it calls cert-request
API call on that server. The API
Hmmm so question here .. our domain was originally installed as a 2.x
and upgraded to 3.x .. I installed the replicas using the
ipa-replica-prepare etc but the CA dirsrv instance was never copied over
or started on the replicas (ie no slapd-PKI-* around) .. yet
/etc/ipa/defaults.conf points to
(Adding back the users list as this may be interesting for everyone)
Ok, the steps suggested below should help. If the DS does not want to start at
all because of the expired certificate, you can also edit
/etc/dirsrv/slapd-YOUR-REALM/dse.ldif and edit it manually (only when dirsrv
service is stop
On 07/31/2014 07:49 AM, Matt Bryant wrote:
> All,
>
> Got an issue with an IPA replica in that the certs in /etc/httpd/alias &
> /etc/dirsrv/slapd-IPA-REALM have expired.
I assume that this replica does not have a CA and we are only dealing with
service HTTPD and DIRSRV service certificates.
> H
All,
Got an issue with an IPA replica in that the certs in /etc/httpd/alias &
/etc/dirsrv/slapd-IPA-REALM have expired.
Have tried setting date back before expiry on the replica and doing an
'ipa-getcert resubmit -i ' but that hasn't worked it looks like the
CA master is actually rejecting i