Great, Rob I've gotten nearly everything just couple minor clarifications:
You're running into issue https://pagure.io/freeipa/issue/8600 which was > fixed in 4.9+ so you don't have it. You'll need to work around it in the > ipa_cert_fix.py code. > > Florence mentioned nsSSLPersonalitySSL: Server-Cert which presents in dse.ldif How should this be modified prior to adjusting ipa_cert_fix.py? > I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat > > alias and imported into > > /etc/httpd/alias using p12util > > I wouldn't recommend doing that. Two different certs for two different > purposes. It probably retained the nickname include cert-pki-ca. > > Thanks, removed. > You'll need to manually make a change in > /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to not renew by > serial. > You'll find this section of code around line 200: > > args = ([paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT, > "--cafile", paths.IPA_CA_CRT, > "--certfile", paths.RA_AGENT_PEM, > "--keyfile", paths.RA_AGENT_KEY] + > sys.argv[1:] + > ['--submit-option', "requestor_name=IPA"]) > > add: > args += ['-N'] > > I'd recommend making this change first, then modify ipa-cert-fix to not > check for the Apache Server-Cert and that may do it. > > Done. Should certmonger service or whatever else be restarted after this change (dogtag-ipa-ca-renew-agent-submit)?
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
