Hi Rob
thank you for your answer
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
yes, now it's Comodo
I've tried ipa-server-certinstall too but I get "The full certificate
chain is not present in ../path/my.key, ../path/my.cer The
ipa-server-certinstall command failed."
Should I try to create a chain certificate/root_ca is there a particular
order e.g. root/other_ca/cert or cert/root/other_ca?
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring one
of
the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
I guess make sure that your time daemon, if any, is stopped.
perhaps I'll try again stopping ntpd
thank you
regards
Stefano
Il 2022-07-28 21:28 Rob Crittenden ha scritto:
stefano.antonelli@cnaf via FreeIPA-users wrote:
Dear All
we have a three nodes FreeIPA 4.6.8 installation with third part
certificate (https / dirsrv). This certificate has expired and when I
try to follow the
ipa-cacert-manage install ...
ipa-certupdate I get the error: "cannot connect to
https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED]
certificate verify failed (_ssl.c:618)"
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
I suppose that this is due to the fact that https connection is
blocked
for expired certificate which I can't renew.
Yep.
Is there a way to bypass this?
Go back in time as you tried.
I've tried to set a date on the server previous than the expiring one
of
the cert, but I get an SASL/GSSAPI error (even if I renew admin
ticket).
I guess make sure that your time daemon, if any, is stopped.
I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with
new
cert/key but I don't know how
Theoretically possible but ipa-server-certinstall should handle it for
you. Manual is prone to error.
rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure