Hello everyone,
I'm running FreeIPA 4.4 (as shipped with current CentOS 7). I had a series of
unfortunate events which resulted in the entire cluster being offline for a matter of a
couple weeks during which the certificate in /etc/httpd/alias expired. I rolled back the
clocks on all of the servers in the cluster and started them successfully, however, the
certificates in /etc/httpd/alias did not get renewed. Is there a process that
automatically handles this or was I supposed to be maintaining that?
Additionally, based on:
https://www.freeipa.org/page/Howto/CA_Certificate_Renewal
...I ran "ipa-cacert-manage renew" on my CA in a hope that that would trigger
renewals across the boards, but now it appears that only the CA was updated as none of the
server certificates were re-issued and are now all untrusted (I can't do "kinit
admin" any longer as my realm is now down). Is there any chance of rolling that back
or issuing new certs to get things going again?
If I have to start over, that is certainly an option. I'm just trying to get a better
understanding of what I should have been doing to avoid this situation in the first
place.
Thanks,
j