Sam Morris via FreeIPA-users wrote: > On 27/04/2022 14:09, Sam Morris wrote: >> Hi folks. PKI-related commands have started to fail on my setup: > > Oh, it turns out this is > <https://bugzilla.redhat.com/show_bug.cgi?id=2006070> again, but this > time manifesting slightly differently: secret="oldsecret" was replaced > by "requiredSecret="newsecret" in </etc/pki/pki-tomcat/server.xml>.
It depends on the version of tomcat you have installed. >> 1. Are the expired certs in CS.cfg causing the problem? > > No. According to <https://github.com/dogtagpki/pki/issues/2157> dogtag > doesn't even use them, is that right? In which case should > ipa-healthcheck stop warning about them? I don't believe they have dropped using the CS.cfg values. The issue is incorrect as IPA does update these values, because it has to in order for the CA to work. >> 2. Which bit of FreeIPA updates the certificate copies in CS.cfg? > > I'm now pretty sure FreeIPA doesn't update CS.cfg except for the CA > certificate. And on my CA renewal master, that wouldn't happen because > subsystem.select is set to Clone. Should I change that? > It shouldn't be necessary. IPA doesn't examine this value. And IPA does update CS.cfg for all tracked CA subsystem certificates. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
