Ian Kumlien via FreeIPA-users wrote: > Hi, > > I've been confused by this a while... But from talking to people on > #freeipa@freenode this might be the real issue: > > certutil -d /etc/pki/pki-tomcat/alias/ -L |grep cert-pki-ca > Server-Cert cert-pki-ca u,u,u > --- > > I have been trying ipa-.cert-fix, which seems to look at most > certificates but not these. > > Also: > ipa-cacert-manage renew > 'NoneType' object has no attribute 'is_self_signed' > The ipa-cacert-manage command failed.
You absolutely do NOT want this. This renews the CA certificate, NOT the subsystem certificates. Doing this this will only add to the confusion. That said it shouldn't error out in this way. > Running: > b3a160b70566ba1703a184f07b493246630829a8 > > From ipa-4.7 > (Needed ipa-cert-fix) > > Any clues of how to proceed, I'm still trying to understand this thing =) I still don't know what isn't working. We need: - the output of getcert list - the CA debug log (or the last bit from startup to failure). - certutil -L -d /etc/pki/pki-tomcat/alias/ might be handy too rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
