Hi Flo, Thanks for the information. I've tried to run the cert fix utility just now and I'm hitting an issue, ironically with the SSL certificate:
[root@red-auth01 ~]# ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command failed. From the message log: Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58 connecting to https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem with the local SSL certificate. Any advice? Marc. -----Original Message----- From: Florence Blanc-Renaud <f...@redhat.com> Sent: 17 November 2020 10:57 To: Marc Pearson | i-Neda Ltd <mpear...@i-neda.com>; FreeIPA users list <freeipa-users@lists.fedorahosted.org> Subject: Re: [Freeipa-users] subsystemCert appears out of date On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote: > Hi Flo, > > Thanks for the help. Included is the output of all the commands as you > requested. These were all run from a single freeIPA server (red-auth01). > > kinit admin; ipa server-role-find --role "CA server" > Password for ad...@int.i-neda.com: > ---------------------- > 8 server roles matched > ---------------------- >  Server name: power-auth03.int.i-neda.com  Role name: CA server >  Role status: enabled > >  Server name: power-auth04.int.i-neda.com  Role name: CA server >  Role status: absent > >  Server name: red-auth01.int.i-neda.com  Role name: CA server  > Role status: enabled > >  Server name: red-auth02.int.i-neda.com  Role name: CA server  > Role status: enabled > >  Server name: red-auth03.int.i-neda.com  Role name: CA server  > Role status: enabled > >  Server name: red-auth04.int.i-neda.com  Role name: CA server  > Role status: enabled > >  Server name: white-auth01.int.i-neda.com  Role name: CA server >  Role status: enabled > >  Server name: white-auth02.int.i-neda.com  Role name: CA server >  Role status: enabled > ---------------------------- > Number of entries returned 8 > ---------------------------- > > >  kinit admin; ipa config-show | grep "renewal" > Password for ad...@int.i-neda.com: >  IPA CA renewal master: red-auth01.int.i-neda.com > > > rpm -qa | grep ipa-server > ipa-server-common-4.6.8-5.el7.centos.noarch > ipa-server-4.6.8-5.el7.centos.x86_64 > ipa-server-dns-4.6.8-5.el7.centos.noarch > > > getcert list > Number of certificates and requests being tracked: 8. > Request ID '20171101175244': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM > subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM > expires: 2021-08-10 14:04:07 UTC > principal name: krbtgt/int.i-neda....@int.i-neda.com > certificate template/profile: KDCs_PKINIT_Certs pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > Request ID '20180722081853': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigning > Cert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigning > Cert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=INT.I-NEDA.COM > subject: CN=CA Audit,O=INT.I-NEDA.COM > expires: 2022-09-16 12:36:41 UTC > key usage: digitalSignature,nonRepudiation pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > > Request ID '20180722081854': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningC > ert cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningC > ert cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=INT.I-NEDA.COM > subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM > expires: 2022-09-16 12:35:31 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20180722081855': > status: CA_UNREACHABLE > ca-error: Error 58 connecting to > https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: > Problem with the local SSL certificate. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCer > t cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCer > t cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=INT.I-NEDA.COM > subject: CN=CA Subsystem,O=INT.I-NEDA.COM > expires: 2020-10-24 07:04:35 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > > Request ID '20180722081856': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCer > t cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCer > t cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=INT.I-NEDA.COM > subject: CN=Certificate Authority,O=INT.I-NEDA.COM > expires: 2040-10-10 07:51:04 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > > Request ID '20180722081857': > status: CA_UNREACHABLE > ca-error: Error 58 connecting to > https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: > Problem with the local SSL certificate. > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=INT.I-NEDA.COM > subject: CN=IPA RA,O=INT.I-NEDA.COM > expires: 2020-10-24 07:03:24 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > Request ID '20180722081858': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=INT.I-NEDA.COM > subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM > expires: 2021-02-09 11:59:57 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > > Request ID '20200530130439': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' > certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > Hi Marc, so the current situation is the following: - red-auth01 is the renewal master, with multiple replicas hosting the CA role. - on this server, 'subsystemCert cert-pki-ca' is expired (expires: 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires: 2020-10-24 07:03:24 UTC). - there is also an issue with the tracking of the cert used by HTTP But one of your comments is puzzling me: > The signing SSL (int.i-neda.com) is a full wildcard block chain that > is authorized by a recognised 3rd party. It's worth noting though, > that we had some issues with the block chain back in April as the > thrid parties block chain expired. So it's possible that this is as a > result of that issue, and may require some fettling to resolve. All help is > appreciated. Did you import the new CA chain at that time using ipa-cacert-manage install / ipa-certupdate? According to getcert output, the IPA CA is now self-signed. It looks a lot like issue https://pagure.io/freeipa/issue/8176 where the externally-signed IPA CA is renewed/replaced with a self-signed CA. As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your system. It will be easier to use this tool to fix the server: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#renewing-expired-system-certificate-when-idm-is-offline Once the systems are up again, you can switch back to an externally-signed ipa CA: - import the external CA chain using ipa-cacert-manage install + run ipa-certupdate on all the ipa nodes - switch to externally-signed CA with ipa-cacert-manage renew --external-ca command (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html-single/linux_domain_identity_authentication_and_policy_guide/index#manual-cert-renewal-ext) HTH, flo > > My current tempory work around is to set the local clock of the OS > back by over a month so the server belives the expired CA's are still valid. > > Kind Regards, > > Marc. > ---------------------------------------------------------------------- > -- > *From:* Florence Blanc-Renaud <f...@redhat.com> > *Sent:* 16 November 2020 14:35 > *To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org> > *Cc:* Marc Pearson | i-Neda Ltd <mpear...@i-neda.com> > *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On > 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote: >> Hi All, >> >> My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m >> unable to get it to update. This has become an issue on my production >> environment, and my current work around has been to take the system >> date back by a month. Iââ,¬â"¢ve tried the cert renew tool, but this >> doesnââ,¬â"¢t seem to have updated this cert. >> >> Is anyone able to point me in the right direction to be able to >> update this specific certificate as Iââ,¬â"¢ve been unable to find anything >> online. >> >> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n >> 'subsystemCert cert-pki-ca' >> >> Certificate: >> >> Ã, Ã, Ã, Data: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2) >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a) >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 >>With RSA Encryption >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate >>Authority,O=INT.I-NEDA.COM" >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov 04 >>08:04:35 2018 >> >> Not After : Sat Oct 24 07:04:35 2020 >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM" >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm: >>PKCS #1 RSA Encryption >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7 >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Exponent: 65537 (0x10001) >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate >>Authority Key Identifier >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>d5:08:c0:3a >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority >>Information Access >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online >>Certificate Status Protocol >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI: >>"http://ipa-ca.int.i-neda.com/ca/ocsp"; >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate Key >>Usage >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital >>Signature >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, Ã, Non-Repudiation >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, Ã, Key Encipherment >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>Ã, Ã, Data Encipherment >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key >>Usage >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS >>Web Server Authentication Certificate >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS >>Web Client Authentication Certificate >> >> Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA >>Encryption >> >> Ã, Ã, Ã, Signature: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51 >> >> Ã, Ã, Ã, Fingerprint (SHA-256): >> >> >> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1: >> 15:13:92:D3:7A:3D:F8:54:44 >> >> Ã, Ã, Ã, Fingerprint (SHA1): >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, >>03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6 >> >> Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing) >> >> Ã, Ã, Ã, Certificate Trust Flags: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags: >> >> Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User >> >> Thanks for the help, >> >> Marc. >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to >> freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: >> https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fedo >> rahosted.org >> > Hi Marc, > > we need more information in order to help you: > - do you have multiple master/replicas with the CA role: > # kinit admin; ipa server-role-find --role "CA server" > > - which server is the renewal master: > # kinit admin ; ipa config-show | grep "renewal" > > - which version is installed: > # rpm -qa | grep ipa-server > > - Is the subsystemCert cert-pki-ca the only expired certificate: > # getcert list > > flo > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
