Hi, you mentioned that /etc/httpd/conf.d/ssl.conf contains SSLCACertificateFile */etc/pki/tls/certs/ca-bundle.crt*
I am a bit surprised, I believe it should be configured to use /etc/ipa/ca.crt. Or your ca-bundle.crt must contain IPA CA certificate. flo On Tue, Aug 12, 2025 at 5:52 PM Dimitri Rachline via FreeIPA-users < [email protected]> wrote: > Hi Florence, and thank you for answering me. > > This was an automated renewal done by certmonger and several certificates > were renewed. th renewal happend on 08/08/2025 at 10:40ish CEST > Number of certificates and requests being tracked: 9. > Request ID '20210831132131': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=IPA RA,O=FREEIPA.LOCAL > issued: 2025-08-08 10:43:17 CEST > expires: 2027-07-29 10:43:17 CEST > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20210831132136': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=CA Audit,O=FREEIPA.LOCAL > issued: 2025-08-08 10:43:20 CEST > expires: 2027-07-29 10:43:20 CEST > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210831132140': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=OCSP Subsystem,O=FREEIPA.LOCAL > issued: 2025-08-08 10:44:19 CEST > expires: 2027-07-29 10:44:19 CEST > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210831132141': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=CA Subsystem,O=FREEIPA.LOCAL > issued: 2025-08-08 10:44:10 CEST > expires: 2027-07-29 10:44:10 CEST > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210831132142': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=Hebergement,O=FREEIPA.LOCAL > issued: 2023-08-23 12:46:55 CEST > expires: 2043-08-23 12:46:55 CEST > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210831132143': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=sul-lnx-cap-prd01.freeipa.local,O=FREEIPA.LOCAL > issued: 2025-08-08 10:43:33 CEST > expires: 2027-07-29 10:43:33 CEST > dns: sul-lnx-cap-prd01.freeipa.local > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210831132149': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-FREEIPA-LOCAL',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-FREEIPA-LOCAL/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-FREEIPA-LOCAL',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=sul-lnx-cap-prd01.freeipa.local,O=FREEIPA.LOCAL > issued: 2025-08-08 10:43:11 CEST > expires: 2027-08-09 10:43:11 CEST > dns: sul-lnx-cap-prd01.freeipa.local > principal name: ldap/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > FREEIPA-LOCAL > track: yes > auto-renew: yes > Request ID '20210831132242': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/sul-lnx-cap-prd01.freeipa.local-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Hebergement,O=FREEIPA.LOCAL > subject: CN=sul-lnx-cap-prd01.freeipa.local,O=FREEIPA.LOCAL > issued: 2025-08-08 10:42:56 CEST > expires: 2027-08-09 10:42:56 CEST > dns: sul-lnx-cap-prd01.freeipa.local,ipa-ca.freeipa.local > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20250811090252': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=sul-lnx-cap-prd01.freeipa.local,O=FREEIPA.LOCAL > subject: CN=sul-lnx-cap-prd01.freeipa.local,O=FREEIPA.LOCAL > issued: 2025-08-11 11:02:52 CEST > expires: 2026-08-11 11:02:52 CEST > dns: sul-lnx-cap-prd01.freeipa.local > principal name: krbtgt/[email protected] > certificate template/profile: KDCs_PKINIT_Certs > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > If i get it right, there was several PKI certs and the http cert that has > been renewed. > > Dimitri > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
