> roy liang via FreeIPA-users wrote: > > Like I've said, there is no documentation for this, a system that is > unrenewable because of a missing library. > > I do have another suggestion on something to try. It's a bit half-baked > and who knows, you may have already tried it. > > I'd strongly urge trying this on a clone of your production CA. > > IIRC you can go back in time where all the certs are valid and the CA is > operational, right? If so, do that. If not you're still going to be > stuck and you can stop reading. > > Bring up a new server one running CentOS or RHEL, and set time back on > it as well. Preferably running 4.6.8 (RHEL 7). This is the closest to > your current version. > > Install it as a client with -N to skip syncing time, then run > ipa-replica-install -N for the same reason. If you get that far, try > running ipa-ca-install. This may well give you a working CA. At that > point you'd set it as a the CA renewal master, etc (see the RHEL docs) > and you'd be back in business. > > There would be more to do afterward but lets not get ahead of ourselves. > > rob
We have communicated with the operation and maintenance staff of the company and asked them to install libnsspem.so to test the FreeiPA renewal certificate. After I have done enough tests, I will deploy it online. It will be great if it is possible. Executing on the server /usr/lib/x86_64-linux-gnu/libnsspem.so ldconfig _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
