Hi Rob, On 7/22/19 5:34 PM, Rob Crittenden via FreeIPA-users wrote:
It is expected. dogtag uses cert auth to bind to LDAP. That fails with the expired certs. This is why the IPA tree is used to distribute the updated certificates.rob
Good news: Apparently the new certificate did make it into the local cert database. On the renewal master: [root@ipa1 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' | grep "Not After" Not After : Wed Jun 23 09:56:18 2021 On the non-renewal masters, e.g. ipa0: [root@ipa0 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' | grep "Not After" Not After : Wed Jun 23 09:56:18 2021 Bad news: pki-tomcatd still doesn't start on the non-renewal masters. journal is attached. Is there yet another copy of the certificate (or its ca chain) that might be out-of-date? I haven't dared to restart ipa1 yet. Regards Harri
journal.txt.gz
Description: application/gzip
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org