Bob Strachan via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
writes:
At some point and I believe it was when we got to Rhel8.6 we started
getting hc errors with this type of message:
"msg": "Certificate 'subsystemCert cert-pki-ca' does not match
the
value of kra.subsystem.cert in
/var/lib/pki/pki-tomcat/kra/conf/CS.cfg"
My analysis is documented here, more or less what you found:
https://pagure.io/freeipa/issue/9277
I've posted my take on an ansible script to fix my servers:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
HTH
Jochen
--
This space is intentionally left blank.