[Freeipa-users] Re: Help request on FreeIPA and Linux Certicate of Authority renewal.

Thu, 10 Mar 2022 06:47:36 -0800 

Good morning Florence,

You guessed right!

By changing some details in the root CA subject the command ipa-cacert-manage 
renew worked.
We now have a root CA valid until 2042 and a FreeIPA CA valid until 2027.



I'm now trying to manually renew my vm certificate with the command ipa-getcert 
resubmit -i REQUEST_ID found here:
    https://www.freeipa.org/page/Certmonger

I did add my root CA to the trusted certificates by moving it to 
/etc/pki/ca-trust/source/anchors/ and by executing update-ca-trust.

Note that getcert list give me CA_UNREACHABLE status and ca-error: Peer 
certificate cannot be authenticated with given CA certificates and those 
certificate are on the same vm where FreeIPA is installed.

Request ID '20170525181552':
        status: CA_UNREACHABLE
        ca-error: Server at https://freeipa.qc.lrtech.ca/ipa/xml failed 
request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, 
explaining:  Peer's Certificate has expired.).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=QC.LRTECH.CA
        subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
        expires: 2022-03-03 20:49:21 UTC
        dns: freeipa.qc.lrtech.ca
        principal name: HTTP/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Any advice would be appreciated. After that I guess I just have to add my root 
CA to the trusted certificates of my other VMs and manually renew the 
certificates.

Eric
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to