On 27/04/2022 14:09, Sam Morris wrote:
Hi folks. PKI-related commands have started to fail on my setup:
Oh, it turns out this is <https://bugzilla.redhat.com/show_bug.cgi?id=2006070> again, but this time manifesting slightly differently: secret="oldsecret" was replaced by "requiredSecret="newsecret" in </etc/pki/pki-tomcat/server.xml>.
1. Are the expired certs in CS.cfg causing the problem?
No. According to <https://github.com/dogtagpki/pki/issues/2157> dogtag doesn't even use them, is that right? In which case should ipa-healthcheck stop warning about them?
2. Which bit of FreeIPA updates the certificate copies in CS.cfg?
I'm now pretty sure FreeIPA doesn't update CS.cfg except for the CA certificate. And on my CA renewal master, that wouldn't happen because subsystem.select is set to Clone. Should I change that?
-- Sam Morris <https://robots.org.uk/> PGP: rsa4096/CAAA AA1A CA69 A83A 892B 1855 D20B 4202 5CDA 27B9 _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
