I've got two ancient (3.1?) IPA servers that have been upgraded over time.
Last January things got really goofy with certificates and I got it all sorted.
However, now I've got an old issue creeping back in. The 'transportCert
cert-pki-kra' is mismatched between the CS.cfg and the tracked certificate.
This is a multi-master setup. The signing master seems to be the one that's
off. It's tracking the updated original 'transportCert cert-pki-kra'
certificate. However, the "secondary" master is tracking a newly generated
'transportCert cert-pki-kra', which is also what both CS.cfg's are referencing.
Neither one of the certificates is expired. Everything else seems to be in
working order. Here is ipa-healthcheck's only relevant error:
"source": "ipahealthcheck.dogtag.ca",
"kw": {
"msg": "Certificate 'transportCert cert-pki-kra' does not match the value
of ca.connector.KRA.transportCert in /var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
"directive": "ca.connector.KRA.transportCert",
"key": "transportCert cert-pki-kra"
},
So, what should I copy where to get this sorted? It seems like the updated
original 'transportCert cert-pki-kra' should be copied into the CS.cfg and then
manually scp the NSS files from "primary" to "secondary"? What commands would
you use to do this? I've got a lot of commands noted and am beginning to get
confused as to which ones should be used to get this sorted. Thanks.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
