Hi, You need to call ipa-certupdate on all the IPA hosts (servers/clients), in order to import the new root CA to all the NSS databases used by the various IPA services, as well as /etc/ipa/ca.crt and a few other files.
flo On Thu, Mar 10, 2022 at 3:49 PM Eric Boisvert via FreeIPA-users < [email protected]> wrote: > Good morning Florence, > > You guessed right! > > By changing some details in the root CA subject the command > ipa-cacert-manage renew worked. > We now have a root CA valid until 2042 and a FreeIPA CA valid until 2027. > > > > I'm now trying to manually renew my vm certificate with the command > ipa-getcert resubmit -i REQUEST_ID found here: > https://www.freeipa.org/page/Certmonger > > I did add my root CA to the trusted certificates by moving it to > /etc/pki/ca-trust/source/anchors/ and by executing update-ca-trust. > > Note that getcert list give me CA_UNREACHABLE status and ca-error: Peer > certificate cannot be authenticated with given CA certificates and those > certificate are on the same vm where FreeIPA is installed. > > Request ID '20170525181552': > status: CA_UNREACHABLE > ca-error: Server at https://freeipa.qc.lrtech.ca/ipa/xml failed > request, will retry: -504 (libcurl failed to execute the HTTP POST > transaction, explaining: Peer's Certificate has expired.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2022-03-03 20:49:21 UTC > dns: freeipa.qc.lrtech.ca > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes > > Any advice would be appreciated. After that I guess I just have to add my > root CA to the trusted certificates of my other VMs and manually renew the > certificates. > > Eric > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
