On 2/16/22 22:29, Rob Crittenden wrote:
Summarizing.
If you have the original certs I'd definitely try restoring those.
You'll need to go back in time a few days in order to restart the CA.
Once the CA comes back up I'd suggest using the -N option to be sure the
subject is ok and renew the certs manually one at a time.
IPA loads profiles from LDAP which is why the on-disk doesn't seem to
match up.
Yup. I am just finishing the whole process and it is a real pain. I
imported my previous ocspSigningCert into NSS DB, FreeIPA was alive
again and started some actions, e.g.: CS.cfg was updated with the new
auditSigningCert but it was not saved into NSS DB, so I had to fix this
manually; subsystemCert was updated in NSS DB, but it was not propagated
into pkidbuser's seeAlso in LDAP, so tomcat was dead again (it could not
connect to LDAP due to bad auth), etc.
I guess the solution for a production system would be:
1. set auto-renew 'no' for auditSigningCert, ocspSigningCert,
subsystemCert, (and maybe) Server-Cert
2. backup NSS DB, and renew the certificates manually
ad 1) getcert start-tracking -i $(request.id) --no-renew
ad 2) getcert resubmit -i $(request.id) -N $(find.correct.name.in.cert) -v
It will save you a lot of time.
Cheers,
LG
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
