[Freeipa-users] Re: FreeIPA - Need help with Expired Certificate

Wed, 15 May 2024 11:23:51 -0700 

azeem via FreeIPA-users wrote:
> Hello!
> 
> I have inherited a FreeIPA server, and upon checking the certificate list 
> with getcert list, it shows that the certificate is already expired. Does 
> anyone know how to renew it? And coz of this issue, I am not able to enroll 
> any any clients. Any help would be appreciated.
> 
> Request ID '20160825909273':
> status: CA_UNREACHABLE
> ca-error: Server at https://test.domain.com/ipa/xml failed request, will 
> retry: 907 (RPC failed at server. cannot connect to 
> 'https://test.domain.com:443/ca/eeca/ca/profileSubmitSSLClient': 
> (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as 
> expired.).
> stuck: no
> key pair storage: 
> type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS
>  Certificate DB',pinfile='/etc/dirsrv/slapd-TEST-DOMAINCOM/pwdfile.txt'
> certificate: 
> type=NSSDB,location='/etc/dirsrv/slapd-TEST-DOMAIN-COM',nickname='Server-Cert',token='NSS
>  Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=TEST-DOMAIN-COM
> subject: CN=test.domain.com,O=TEST.DOMAIN.COM
> expires: 2023-12-18 15:52:08 UTC
> principal name: ldap/test.domain....@test.domain.com
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv TEST.DOMAIN.COM
> track: yes
> auto-renew: yes

You have more certificates expired than just this one. I would expected
ther are a number of CA-related certificates also expired. The number of
tracked certificates should be more than 8 (if using getcert and not
ipa-getcert).

What version of IPA is this on what distro?

rob
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to