Hi,


To recover from this situation you should reinstall the old CA
certificate via ipa-cacert-manage.  If you can't find a copy of that
lying around you should (for a self-signed IPA CA) be able to
retrieve it from LDAP under ou=certificateRepository,ou=ca,o=ipaca.
(Probably cn=1,ou=certificateRepository,ou=ca,o=ipaca but you should
check the subject and validity before installing it to make sure the
particulars are correct).  The attribution you want is
'userCertificate;binary'.


Actually after ipa-cacert-manage, I used a backup to roll back the changes, so I do think that my CA has not been actually changed.
I was just surprised not to be able to restart the httpd service, but it was due to the expired SSL certificate.

Thanks a lot.
Karl


 
HTH,
Fraser

> From your description it sounded like you just wanted the CA to issue a new
> certificate for your IPA UI, this you can do via the interface.
>
> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Linux_Domain_Identity_Authentication_and_Policy_Guide/certificates.html#certificate-request-ui
>
>
>
> On Wed, Jul 12, 2017 at 10:22 AM None via FreeIPA-users <
> freeipa-users@lists.fedorahosted.org> wrote:
>
> > The problem is that the SSL certificate was not renewed by  the
> > "ipa-cacert-manage renew" command.
> > So the http server refuses to start.
> > Hence my question: what is the correct way to renew the SSL certificate ??
> >
> > Thanks.
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> >
> --
> Callum Guy
> Head of Information Security
> X-on
>
> --
>
>
>
> *0333 332 0000  |  www.x-on.co.uk <http://www.x-on.co.uk>  |   **
> <https://www.linkedin.com/company/x-on>   <https://www.facebook.com/XonTel>
>   <https://twitter.com/xonuk> *
> X-on is a trading name of Storacall Technology Ltd a limited company
> registered in England and Wales.
> Registered Office : Avaland House, 110 London Road, Apsley, Hemel
> Hempstead, Herts, HP3 9SD. Company Registration No. 2578478.
> The information in this e-mail is confidential and for use by the
> addressee(s) only. If you are not the intended recipient, please notify
> X-on immediately on +44(0)333 332 0000 and delete the
> message from your computer. If you are not a named addressee you must not
> use, disclose, disseminate, distribute, copy, print or reply to this email. Views
> or opinions expressed by an individual
> within this email may not necessarily reflect the views of X-on or its
> associated companies. Although X-on routinely screens for viruses,
> addressees should scan this email and any attachments
> for viruses. X-on makes no representation or warranty as to the absence of
> viruses in this email or any attachments.
>

> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org