I think I found the issue (posting here in case someone else runs into
something similar). It's Apple's doing.
https://podtech.io/os/mac-osx/chrome-catalina-certificate-issue/
Basically, I have my default certificate date length to 4 years (since
our environment is small and these rarely ever
, 2020 at 11:02 PM Fraser Tweedale wrote:
>
> On Tue, Feb 11, 2020 at 05:40:14PM -0500, Christopher Young via FreeIPA-users
> wrote:
> > I have a weird issue where I have my RHV (RedHat Virtualization)
> > environment system that has an IPA-issued certificate in place. This
>
I have a weird issue where I have my RHV (RedHat Virtualization)
environment system that has an IPA-issued certificate in place. This
has been working very well for some time.
In any case, I'm suddenly finding that browsers are telling me the
certificate is invalid, yet when I check things (I
I gotta say, the unwillingness of large organizations like RedHat to
even consider this functionality is pretty amazing to see since there
was a bug filed 12 years ago to add properly support for RFC 4530
entryUUID. At some point, it should be a matter of pride for the
directory services to add
Thank you so much! That appears to have worked!
-
[root@orldc-prod-ipa01 alias]# getcert list | grep
'pki-tomcat.*Server-Cert cert-pki-ca' -A10 -B3
Request ID '20181008203713':
status: MONITORING
stuck: no
key pair storage:
case, have a hunt for
> > > > >
> > > > > cn=268304422,ou=certificateRepository,ou=ca,o=ipaca
> > > > >
> > > > > If found, in the entry there should be an attribute:
> > > > >
> > > > > metaInfo: requestId:
>
n the entry there should be an attribute:
> > > >
> > > > metaInfo: requestId:
> > > >
> > > > for some value of . Now also look for the entry:
> > > >
> > > > cn=,ou=ca,ou=requests,o=ipaca
> > > >
>
can manually
> > > export/import them, and it might solve the issue.
> > >
> > > Otherwise, I recall a recent issue where the workaround was to make
> > > the Certmonger renewal helper do a "new issuance" rather than a
> > > "renewal"-based
ke
> > the Certmonger renewal helper do a "new issuance" rather than a
> > "renewal"-based operation against the Dogtag CA. This could help in
> > your situation too. I am not sure whether or where the steps were
> > recorded so Rob, Florence - do you kno
s possible I have gone down the garden path so it would
> really help to see the relevant portion of the Dogtag debug log.
> (Be aware Dogtag timestamps are in local time, when you are looking
> for the relevant output).
>
> Cheers,
> Fraser
>
> On Tue, Dec 04, 2018 at 09:47:11PM -05
(which is
sadly only a day away!). (Why, oh why, do we always 'find' these
type of problems under a time crunch in this business?) :)
On Tue, Dec 4, 2018 at 5:57 PM Rob Crittenden wrote:
>
> Christopher Young via FreeIPA-users wrote:
> > Yeah. I definitely lost on this one a
Yeah. I definitely lost on this one at this point. As far as I can
tell, SOMEHOW I'm missing these certs in the directory? Does that
sound right?
How would one go about making sure is corrected? I'm guess I'd need
to regenerate some type of certificate on the IPA host, but I'm afraid
of
IPA 4.5.4 (has been upgraded for years just to understand that there
is a history)
This system (ipa01) is the renewal master (in case that matters)
I'm getting the following error on 'getcert'. My gut tells me this is
kinda a big deal. :) I really could use some help figuring this one
out as
Actually, I'm replying to my own post.
I think I was using some incomplete options on the certutil command
for listing the keys without realizing it. This might be similar to
some other issues I've briefly skimmed from the past on this list.
I'll post more when I spend more time reading if I'm
14 matches
Mail list logo
