On 2/8/21 2:56 PM, Manuel Gujo via FreeIPA-users wrote:
Hi,
I re-sync the date to today and ran ipa-cert-fix but it returns an error
[root@ipa1 ~]# ipa-cert-fix
WARNINGipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED.
The following certificates will be renewed:
Dogtag sslserver certificate: Subject: CN=ipa1.itec.lab,O=ITEC.LAB Serial: 17 Expires: 2020-12-08 09:35:05
Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=ITEC.LAB Serial: 19 Expires: 2020-12-08 09:37:36
Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=ITEC.LAB Serial: 21 Expires: 2020-12-08 09:38:07
Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=ITEC.LAB Serial: 18 Expires: 2020-12-08 09:35:14
IPA IPA RA certificate: Subject: CN=IPA RA,O=ITEC.LAB Serial: 20 Expires: 2020-12-08 09:37:47
IPA Apache HTTPS certificate: Subject: CN=ipa1.itec.lab,O=ITEC.LAB Serial: 24 Expires: 2020-12-30 09:35:04
IPA LDAP certificate: Subject: CN=ipa1.itec.lab,O=ITEC.LAB Serial: 25 Expires: 2020-12-30 09:35:16
IPA KDC certificate: Subject: CN=ipa1.itec.lab,O=ITEC.LAB Serial: 1 Expires: 2020-12-31 20:19:55
Enter "yes" to proceed: yes Proceeding. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/sslserver.crt' The ipa-cert-fix command failed.
Hi, which version of pki-server is installed? You may be hitting https://bugzilla.redhat.com/show_bug.cgi?id=1897120
Looks like you will need to manually fix the renewal issue by following the old good method with changing date etc... The first expiration date is 2020-12-08, the system date needs to be moved before that date. Please try and let me know if there are issues.
flo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...