> > It didn't fail on the subsystem certificate, it failed on the TLS > certificate for the CA itself (it seems). You can check that with: > > getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" > > Here's the output:
[root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" Number of certificates and requests being tracked: 9. Request ID '20210601131824': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-06-08 16:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes > If it expires in 2023 then you're ok with the CA anyhow. > > Listed as expiring in 2021. Can I force this to be re-issued? Thanks Marc
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
