On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote: > Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto: > > "CA replica" just means any IPA master that has the Dogtag CA > > installed. > > > > You have a Dogtag CA. That CA uses an LDAP database, which has > > basedn `o=ipaca'. That database should have the entry I indicated, > > whose `userCertificate' attribute we are interested in. > > > Ok, sorry for my low IPA CA knowledge :-) > No problem.
> I've got 4 userCertificate entries in that entry, last one is the same cert > as /var/lib/ipa/ra-agent.pem > Remove all the userAttribute values except the one that matches ra-agent.pem. You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA master in the topology (the one you're working on) you can ignore this. Otherwise you should either update its userCertificate value with the content of ra_agent.pem, OR you can simply delete the entry. Do this all while the clock is set back to when the certs are all valid. Then restart IPA; confirm that all the components start properly, then attempt to renew the service certificates. See how you go with that. Hopefully it will be progress, at least. Cheers, Fraser > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org