Thanks Flo,
I'm suprosed I didn't catch that typeo:
certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
CN=AddTrust External CA Root,OU=AddTrust External TTP Network,O=AddTrust
AB,C=SE C,,
CN=COMODO High-Assurance Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
CN=COMODO RSA Domain Validation Secure Server CA,O=COMODO CA
Limited,L=Salford,ST=Greater Manchester,C=GB C,,
comodoCA C,,
INT.I-NEDA.COM IPA CA CT,C,C
INT.I-NEDA.COM IPA CA CT,C,C
INT.I-NEDA.COM IPA CA CT,C,C
CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater
Manchester,C=GB C,,
CN=COMODO RSA Certification Authority,O=COMODO CA Limited,L=Salford,ST=Greater
Manchester,C=GB C,,
comodoCA2 C,,
INT.I-NEDA.COM IPA CA CT,C,C
INT.I-NEDA.COM IPA CA CT,C,C
comodoCA C,,
CN=*.int.i-neda.com u,u,u
INT.I-NEDA.COM IPA CA CT,C,C
Marc.
-----Original Message-----
From: Florence Blanc-Renaud <f...@redhat.com>
Sent: 24 November 2020 09:01
To: Marc Pearson | i-Neda Ltd <mpear...@i-neda.com>; FreeIPA users list
<freeipa-users@lists.fedorahosted.org>
Subject: Re: [Freeipa-users] subsystemCert appears out of date
On 11/24/20 9:54 AM, Marc Pearson | i-Neda Ltd wrote:
> Hi Flo,
>
> I'm getting a database error when running that command:
>
> # certutil -L -d /etc/dirsrc/slapd-INT-I-NEDA-COM
> certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key
> database is in an old, unsupported format.
>
Sorry, I made a typo, it should be dirsrv, not dirsrc:
# certutil -L -d /etc/dirsrv/slapd-INT-I-NEDA-COM
flo
>
> Not sure if that's of any help?
>
> Marc.
>
> -----Original Message-----
> From: Florence Blanc-Renaud <f...@redhat.com>
> Sent: 21 November 2020 19:06
> To: Marc Pearson | i-Neda Ltd <mpear...@i-neda.com>; FreeIPA users
> list <freeipa-users@lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] subsystemCert appears out of date
>
> On 11/18/20 12:23 PM, Marc Pearson | i-Neda Ltd wrote:
>> Hi Flo,
>>
>> Thanks for the information. I've tried to run the cert fix utility just now
>> and I'm hitting an issue, ironically with the SSL certificate:
>>
>> [root@red-auth01 ~]# ipa-cert-fix
>> Failed to get Server-Cert
>> The ipa-cert-fix command failed.
>>
> Hi,
> I failed to notice the first time but there is no tracking for the LDAP cert
> that is stored in /etc/dirsrv/slapd-$DOMAIN/. What is the output of #
> certutil -L -d /etc/dirsrc/slapd-$DOMAIN You should see Server-Cert (=the
> ldap server certificate), or maybe a different nickname is used?
>
> flo
>
>> From the message log:
>> Nov 18 11:18:32 red-auth01 dogtag-ipa-ca-renew-agent-submit:
>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:32
>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned
>> 3 Nov 18 11:18:33 red-auth01 certmonger: 2020-11-18 11:18:33 [1164] Error 58
>> connecting to
>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem
>> with the local SSL certificate.
>> Nov 18 11:18:35 red-auth01 dogtag-ipa-ca-renew-agent-submit:
>> Forwarding request to dogtag-ipa-renew-agent Nov 18 11:18:35
>> red-auth01 dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned
>> 3 Nov 18 11:18:35 red-auth01 certmonger: 2020-11-18 11:18:35 [1164] Error 58
>> connecting to
>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview: Problem
>> with the local SSL certificate.
>>
>> Any advice?
>>
>> Marc.
>>
>> -----Original Message-----
>> From: Florence Blanc-Renaud <f...@redhat.com>
>> Sent: 17 November 2020 10:57
>> To: Marc Pearson | i-Neda Ltd <mpear...@i-neda.com>; FreeIPA users
>> list <freeipa-users@lists.fedorahosted.org>
>> Subject: Re: [Freeipa-users] subsystemCert appears out of date
>>
>> On 11/17/20 10:19 AM, Marc Pearson | i-Neda Ltd wrote:
>>> Hi Flo,
>>>
>>> Thanks for the help. Included is the output of all the commands as
>>> you requested. These were all run from a single freeIPA server (red-auth01).
>>>
>>> kinit admin; ipa server-role-find --role "CA server"
>>> Password for ad...@int.i-neda.com:
>>> ----------------------
>>> 8 server roles matched
>>> ----------------------
>>>  Server name: power-auth03.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: power-auth04.int.i-neda.com  Role name: CA
>>> server  Role status: absent
>>>
>>>  Server name: red-auth01.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: red-auth02.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: red-auth03.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: red-auth04.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: white-auth01.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>>
>>>  Server name: white-auth02.int.i-neda.com  Role name: CA
>>> server  Role status: enabled
>>> ----------------------------
>>> Number of entries returned 8
>>> ----------------------------
>>>
>>>
>>> Â kinit admin; ipa config-show | grep "renewal"
>>> Password for ad...@int.i-neda.com:
>>> Â IPA CA renewal master: red-auth01.int.i-neda.com
>>>
>>>
>>> rpm -qa | grep ipa-server
>>> ipa-server-common-4.6.8-5.el7.centos.noarch
>>> ipa-server-4.6.8-5.el7.centos.x86_64
>>> ipa-server-dns-4.6.8-5.el7.centos.noarch
>>>
>>>
>>> getcert list
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20171101175244':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
>>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
>>> CA: SelfSign
>>> issuer: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>>> expires: 2021-08-10 14:04:07 UTC
>>> principal name: krbtgt/int.i-neda....@int.i-neda.com
>>> certificate template/profile: KDCs_PKINIT_Certs pre-save command:
>>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081853':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigni
>>> n g Cert cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigni
>>> n g Cert cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=CA Audit,O=INT.I-NEDA.COM
>>> expires: 2022-09-16 12:36:41 UTC
>>> key usage: digitalSignature,nonRepudiation pre-save command:
>>> /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "auditSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081854':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSignin
>>> g C ert cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSignin
>>> g C ert cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=OCSP Subsystem,O=INT.I-NEDA.COM
>>> expires: 2022-09-16 12:35:31 UTC
>>> eku: id-kp-OCSPSigning
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "ocspSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>> Request ID '20180722081855':
>>> status: CA_UNREACHABLE
>>> ca-error: Error 58 connecting to
>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>>> Problem with the local SSL certificate.
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemC
>>> e r t cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemC
>>> e r t cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=CA Subsystem,O=INT.I-NEDA.COM
>>> expires: 2020-10-24 07:04:35 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "subsystemCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081856':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningC
>>> e r t cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningC
>>> e r t cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> expires: 2040-10-10 07:51:04 UTC
>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "caSigningCert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081857':
>>> status: CA_UNREACHABLE
>>> ca-error: Error 58 connecting to
>>> https://red-auth01.int.i-neda.com:8443/ca/agent/ca/profileReview:
>>> Problem with the local SSL certificate.
>>> stuck: no
>>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
>>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=IPA RA,O=INT.I-NEDA.COM
>>> expires: 2020-10-24 07:03:24 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth pre-save command:
>>> /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20180722081858':
>>> status: MONITORING
>>> stuck: no
>>> key pair storage:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer
>>> t cert-pki-ca',token='NSS Certificate DB',pin set
>>> certificate:
>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer
>>> t cert-pki-ca',token='NSS Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=INT.I-NEDA.COM
>>> subject: CN=red-auth01.int.i-neda.com,O=INT.I-NEDA.COM
>>> expires: 2021-02-09 11:59:57 UTC
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>> "Server-Cert cert-pki-ca"
>>> track: yes
>>> auto-renew: yes
>>>
>>> Request ID '20200530130439':
>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>> stuck: yes
>>> key pair storage:
>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert'
>>> CA: IPA
>>> issuer:
>>> subject:
>>> expires: unknown
>>> pre-save command:
>>> post-save command:
>>> track: yes
>>> auto-renew: yes
>>>
>> Hi Marc,
>>
>> so the current situation is the following:
>> - red-auth01 is the renewal master, with multiple replicas hosting the CA
>> role.
>> - on this server, 'subsystemCert cert-pki-ca' is expired (expires:
>> 2020-10-24 07:04:35 UTC) as well as /var/lib/ipa/ra-agent.pem (expires:
>> 2020-10-24 07:03:24 UTC).
>> - there is also an issue with the tracking of the cert used by HTTP
>>
>> But one of your comments is puzzling me:
>>
>>> The signing SSL (int.i-neda.com) is a full wildcard block chain that
>>> is authorized by a recognised 3rd party. It's worth noting though,
>>> that we had some issues with the block chain back in April as the
>>> thrid parties block chain expired. So it's possible that this is as
>>> a result of that issue, and may require some fettling to resolve. All help
>>> is appreciated.
>> Did you import the new CA chain at that time using ipa-cacert-manage install
>> / ipa-certupdate?
>>
>> According to getcert output, the IPA CA is now self-signed. It looks a lot
>> like issue https://pagure.io/freeipa/issue/8176 where the externally-signed
>> IPA CA is renewed/replaced with a self-signed CA.
>>
>> As you have ipa 4.6.8-5, the ipa-cert-fix utility is available on your
>> system. It will be easier to use this tool to fix the server:
>> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linu
>> x
>> /7/html-single/linux_domain_identity_authentication_and_policy_guide/
>> i ndex#renewing-expired-system-certificate-when-idm-is-offline
>>
>> Once the systems are up again, you can switch back to an externally-signed
>> ipa CA:
>> - import the external CA chain using ipa-cacert-manage install + run
>> ipa-certupdate on all the ipa nodes
>> - switch to externally-signed CA with ipa-cacert-manage renew
>> --external-ca command
>> (https://access.redhat.com/documentation/en-us/red_hat_enterprise_lin
>> u
>> x/7/html-single/linux_domain_identity_authentication_and_policy_guide
>> /
>> index#manual-cert-renewal-ext)
>>
>> HTH,
>> flo
>>>
>>> My current tempory work around is to set the local clock of the OS
>>> back by over a month so the server belives the expired CA's are still valid.
>>>
>>> Kind Regards,
>>>
>>> Marc.
>>> --------------------------------------------------------------------
>>> -
>>> -
>>> --
>>> *From:* Florence Blanc-Renaud <f...@redhat.com>
>>> *Sent:* 16 November 2020 14:35
>>> *To:* FreeIPA users list <freeipa-users@lists.fedorahosted.org>
>>> *Cc:* Marc Pearson | i-Neda Ltd <mpear...@i-neda.com>
>>> *Subject:* Re: [Freeipa-users] subsystemCert appears out of date On
>>> 11/16/20 10:03 AM, Marc Pearson | i-Neda Ltd via FreeIPA-users wrote:
>>>> Hi All,
>>>>
>>>> My subsystem cert appears to have gone out of date, and Iââ,¬â"¢m
>>>> unable to get it to update. This has become an issue on my
>>>> production environment, and my current work around has been to take
>>>> the system date back by a month. Iââ,¬â"¢ve tried the cert renew
>>>> tool, but this doesnââ,¬â"¢t seem to have updated this cert.
>>>>
>>>> Is anyone able to point me in the right direction to be able to
>>>> update this specific certificate as Iââ,¬â"¢ve been unable to find
>>>> anything online.
>>>>
>>>> [auth01 ~]# certutil -L -d /etc/pki/pki-tomcat/alias -n
>>>> 'subsystemCert cert-pki-ca'
>>>>
>>>> Certificate:
>>>>
>>>>  Ã, Ã, Ã, Data:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Version: 3 (0x2)
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Serial Number: 42 (0x2a)
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signature Algorithm: PKCS #1
>>>> SHA-256 With RSA Encryption
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Issuer: "CN=Certificate
>>>> Authority,O=INT.I-NEDA.COM"
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Validity:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Not Before: Sun Nov
>>>> 04
>>>> 08:04:35 2018
>>>>
>>>> Not After : Sat Oct 24 07:04:35 2020
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject: "CN=CA Subsystem,O=INT.I-NEDA.COM"
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Subject Public Key Info:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Public Key Algorithm:
>>>> PKCS #1 RSA Encryption
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, RSA Public Key:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Modulus:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, c6:7e:e6:40:8f:6e:77:07:8f:2a:ca:ca:63:63:cf:c6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, 5f:1c:09:63:4a:bb:17:68:17:cd:20:9b:f3:b0:5b:c0:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, f7:ff:72:07:1d:a2:29:93:61:62:5c:9f:04:d3:cb:7b:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, bf:53:de:bb:dd:d6:3f:a1:14:95:04:53:64:87:73:24:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, e3:61:66:96:ab:99:1f:2c:da:ec:22:e5:21:b1:5c:d5:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 0a:dd:4e:3f:f8:e2:90:a1:55:31:ad:11:2f:3b:d3:90:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 14:dc:b7:9d:fc:35:1a:ab:48:27:68:0a:9f:cb:95:14:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 00:93:b8:d4:d4:30:de:4e:be:20:a3:01:24:e8:f2:4a:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 1a:d2:b6:e0:09:77:3d:24:e3:5a:cf:51:d6:ca:d2:65:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 53:62:72:64:fe:7d:53:09:0e:97:b8:61:c9:c8:6d:24:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 52:15:f2:bf:40:04:38:24:22:73:fb:80:a0:ff:16:57:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, e1:0b:3c:71:02:d7:e6:2e:94:0a:e7:4e:aa:5e:6f:91:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, a5:68:65:21:cd:68:0c:2d:5d:53:fa:e0:10:75:47:43:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, 04:f2:8b:e1:1c:1c:ed:a6:c1:ee:5c:6c:72:51:b5:e6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, cd:f9:06:45:17:00:2b:d7:34:75:8a:59:f2:21:97:c6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, 63:d3:6f:54:d9:00:42:74:88:9e:94:d0:d4:d2:a1:b7
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Exponent: 65537 (0x10001)
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Signed Extensions:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
>>>> Authority Key Identifier
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Key ID:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> f2:bb:9c:4f:e3:d8:c3:f9:58:eb:cc:5f:f7:be:8c:d6:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> d5:08:c0:3a
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Authority
>>>> Information Access
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Method: PKIX Online
>>>> Certificate Status Protocol
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Location:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, URI:
>>>> "http://ipa-ca.int.i-neda.com/ca/ocsp";
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Certificate
>>>> Key Usage
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Critical: True
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Usages: Digital
>>>> Signature
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, Non-Repudiation
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, Key Encipherment
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> Ã, Ã, Ã, Data Encipherment
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Name: Extended Key
>>>> Usage
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>>> Web Server Authentication Certificate
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, TLS
>>>> Web Client Authentication Certificate
>>>>
>>>>  Ã, Ã, Ã, Signature Algorithm: PKCS #1 SHA-256 With RSA
>>>> Encryption
>>>>
>>>>  Ã, Ã, Ã, Signature:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 5f:b7:31:25:10:ef:e7:72:44:8e:94:1d:57:4e:bb:4e:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 22:cf:9b:7e:f4:20:a2:fa:96:2a:cf:e9:70:cd:a6:82:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 4a:bd:58:4b:a7:df:4d:77:47:ba:65:d0:68:c5:dc:59:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 77:7e:bf:36:d3:55:c7:86:d3:16:77:51:46:c2:48:de:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> e8:0d:62:05:b9:8c:46:bd:22:7d:8d:d0:ad:5a:64:6b:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 9b:7d:ec:4c:e6:05:e7:02:97:cd:01:f5:19:91:15:7e:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> cc:41:5b:f2:00:2d:c0:0b:91:9e:62:d5:7a:b2:1e:8f:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 32:62:c2:ed:1a:e8:e1:56:32:e0:0e:79:55:a2:49:35:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 0e:df:5d:a3:df:e2:dd:58:60:4a:dd:19:92:f7:4d:60:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 59:0e:16:b1:ae:32:e6:c5:c5:fa:5b:2f:fe:1d:fe:e9:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> ec:67:2b:65:33:f2:57:64:8a:68:f3:91:9b:25:ff:02:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 64:4c:a1:6d:fe:f0:73:95:f2:0f:49:fb:3f:85:21:a0:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 68:37:dc:cd:73:02:73:20:22:a9:1d:c9:7e:88:4f:9b:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 7c:92:f8:c1:50:0f:95:43:48:5b:8b:7f:0f:48:04:a8:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> c7:c0:0e:58:7c:86:2c:3a:b5:72:e3:34:3d:d8:0f:26:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> eb:44:fa:75:c1:c8:fc:b6:7d:f7:31:91:a4:71:a1:51
>>>>
>>>>  Ã, Ã, Ã, Fingerprint (SHA-256):
>>>>
>>>>
>>>> 4F:2A:1B:54:65:B6:09:3E:AD:68:08:92:CB:8D:FE:13:EF:B8:4C:F1:1E:0F:E1:
>>>> 15:13:92:D3:7A:3D:F8:54:44
>>>>
>>>>  Ã, Ã, Ã, Fingerprint (SHA1):
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã,Â
>>>> 03:34:DC:55:F5:00:AF:8C:EF:AC:AA:0D:E0:44:AD:5C:6F:CF:97:A6
>>>>
>>>>  Ã, Ã, Ã, Mozilla-CA-Policy: false (attribute missing)
>>>>
>>>>  Ã, Ã, Ã, Certificate Trust Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, SSL Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Email Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Object Signing Flags:
>>>>
>>>>  Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, Ã, User
>>>>
>>>> Thanks for the help,
>>>>
>>>> Marc.
>>>>
>>>>
>>>> _______________________________________________
>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>>>> To unsubscribe send an email to
>>>> freeipa-users-le...@lists.fedorahosted.org
>>>> Fedora Code of Conduct:
>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>>>> List Guidelines:
>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
>>>> List Archives:
>>>> https://lists.fedorahosted.org/archives/list/freeipa-us...@lists.fe
>>>> d
>>>> o
>>>> rahosted.org
>>>>
>>> Hi Marc,
>>>
>>> we need more information in order to help you:
>>> - do you have multiple master/replicas with the CA role:
>>> # kinit admin; ipa server-role-find --role "CA server"
>>>
>>> - which server is the renewal master:
>>> # kinit admin ; ipa config-show | grep "renewal"
>>>
>>> - which version is installed:
>>> # rpm -qa | grep ipa-server
>>>
>>> - Is the subsystemCert cert-pki-ca the only expired certificate:
>>> # getcert list
>>>
>>> flo
>>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
