On 2/8/21 2:56 PM, Manuel Gujo via FreeIPA-users wrote:
Hi,
I re-sync the date to today and ran ipa-cert-fix but it returns an error
[root@ipa1 ~]# ipa-cert-fix
WARNING
ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA. It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate:
Subject: CN=ipa1.itec.lab,O=ITEC.LAB
Serial: 17
Expires: 2020-12-08 09:35:05
Dogtag subsystem certificate:
Subject: CN=CA Subsystem,O=ITEC.LAB
Serial: 19
Expires: 2020-12-08 09:37:36
Dogtag ca_ocsp_signing certificate:
Subject: CN=OCSP Subsystem,O=ITEC.LAB
Serial: 21
Expires: 2020-12-08 09:38:07
Dogtag ca_audit_signing certificate:
Subject: CN=CA Audit,O=ITEC.LAB
Serial: 18
Expires: 2020-12-08 09:35:14
IPA IPA RA certificate:
Subject: CN=IPA RA,O=ITEC.LAB
Serial: 20
Expires: 2020-12-08 09:37:47
IPA Apache HTTPS certificate:
Subject: CN=ipa1.itec.lab,O=ITEC.LAB
Serial: 24
Expires: 2020-12-30 09:35:04
IPA LDAP certificate:
Subject: CN=ipa1.itec.lab,O=ITEC.LAB
Serial: 25
Expires: 2020-12-30 09:35:16
IPA KDC certificate:
Subject: CN=ipa1.itec.lab,O=ITEC.LAB
Serial: 1
Expires: 2020-12-31 20:19:55
Enter "yes" to proceed: yes
Proceeding.
[Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/sslserver.crt'
The ipa-cert-fix command failed.
Hi,
which version of pki-server is installed? You may be hitting
https://bugzilla.redhat.com/show_bug.cgi?id=1897120
Looks like you will need to manually fix the renewal issue by following
the old good method with changing date etc...
The first expiration date is 2020-12-08, the system date needs to be
moved before that date. Please try and let me know if there are issues.
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...