GH via FreeIPA-users wrote: > The best I could tell was an upgrade back in Dec. 2019/Jan. 2020. It seems > like it was a move from NSS to SSL for a number of pieces? Anyways, I'd had > Ipsilon configured on the same server, and that move didn't make things happy > as there was a port overlap. (Unsupported configuration, I know.) Lots of > reconfiguration and copying certs around to get it straightened out. > > Right now, everything starts on both servers. However, on the "secondary" > that is not the renewal master, there's a number of "certificate doesn't > match the CS.cfg" errors. > 'ocspSigningCert cert-pki-ca' > 'subsystemCert cert-pki-ca' > 'Server-Cert cert-pki-ca' > 'auditSigningCert cert-pki-ca' > > Along with a: > "msg": "Incorrect NSS trust for Server-Cert cert-pki-ca. Got ,, expected > u,u,u", > > The "primary", which is the renewal master listed on both boxes, shows none > of those errors. At one point, I had figured out how to "force sync" the > certs, but I've since forgotten. >
This means there is no associated private key with the certificate. The "Server-Cert cert-pki-ca" certificate is used by tomcat and is unique per installation. The others are common and need to be identical on all CAs. What does getcert list show? rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure