On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users
wrote:
> Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:
> > "CA replica" just means any IPA master that has the Dogtag CA
> > installed.
> >
> > You have a Dogtag CA. That CA uses an LDAP database, which has
> > basedn `o=ipaca'. That database should have the entry I indicated,
> > whose `userCertificate' attribute we are interested in.
> >
> Ok, sorry for my low IPA CA knowledge :-)
>
No problem.
> I've got 4 userCertificate entries in that entry, last one is the same cert
> as /var/lib/ipa/ra-agent.pem
>
Remove all the userAttribute values except the one that matches
ra-agent.pem.
You also suggested earlier to update that entry in the IPA DIT under
`cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA
master in the topology (the one you're working on) you can ignore
this. Otherwise you should either update its userCertificate value
with the content of ra_agent.pem, OR you can simply delete the
entry.
Do this all while the clock is set back to when the certs are all
valid. Then restart IPA; confirm that all the components start
properly, then attempt to renew the service certificates.
See how you go with that. Hopefully it will be progress, at least.
Cheers,
Fraser
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
