Hi Rob, On 7/22/19 5:34 PM, Rob Crittenden via FreeIPA-users wrote:
It is expected. dogtag uses cert auth to bind to LDAP. That fails with the expired certs. This is why the IPA tree is used to distribute the updated certificates.rob
Good news:
Apparently the new certificate did make it into the local cert database.
On the renewal master:
[root@ipa1 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' |
grep "Not After"
Not After : Wed Jun 23 09:56:18 2021
On the non-renewal masters, e.g. ipa0:
[root@ipa0 ~]# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca' |
grep "Not After"
Not After : Wed Jun 23 09:56:18 2021
Bad news:
pki-tomcatd still doesn't start on the non-renewal masters. journal
is attached. Is there yet another copy of the certificate (or its ca
chain) that might be out-of-date?
I haven't dared to restart ipa1 yet.
Regards
Harri
journal.txt.gz
Description: application/gzip
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
