Roberto Cornacchia via FreeIPA-users wrote: > OK, I did so and httpd restarts. > > $ openssl s_client -connect 127.0.0.1:443 <http://127.0.0.1:443> -showcerts > CONNECTED(00000003) > depth=1 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>, CN = Certificate > Authority > verify return:1 > depth=0 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>, CN = > spinque04.hq.spinque.com <http://spinque04.hq.spinque.com> > verify error:num=10:certificate has expired > notAfter=Mar 16 18:45:29 2017 GMT > verify return:1 > depth=0 O = HQ.SPINQUE.COM <http://HQ.SPINQUE.COM>, CN = > spinque04.hq.spinque.com <http://spinque04.hq.spinque.com> > notAfter=Mar 16 18:45:29 2017 GMT > verify return:1 > --- > Certificate chain > 0 s:/O=HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com > <http://HQ.SPINQUE.COM/CN=spinque04.hq.spinque.com> > i:/O=HQ.SPINQUE.COM/CN=Certificate > <http://HQ.SPINQUE.COM/CN=Certificate> Authority > ... > > Fair enough, but why does this say it expires in 2019? Are they two > different certificates? > > $ getcert list -d /etc/httpd/alias -n ipaCert > Number of certificates and requests being tracked: 8. > Request ID '20160501114633': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM> > subject: CN=IPA RA,O=HQ.SPINQUE.COM <http://HQ.SPINQUE.COM> > expires: 2019-01-26 19:41:51 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > What's the right way to solve this?
You're looking at the wrong cert. # getcert list -d /etc/httpd/alias -n Server-Cert And really, you should examine all certificate status, not just a single one. I was also strongly urge you to wait until all problems are resolved before attempting to update packages in the future (unless a package claims to fix a specific problem), particularly when it comes to certificates. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org