Bonjour,
Thank you Rob and Florence for your help
It looks it looks difficult to switch to internal CA, hopefully with
some help it seems easier to setup another exernal CA
Regards,
Frederic
Frédéric AYRAULT
Administrateur Systèmes et Réseaux
Laboratoire d'Informatique de l'Ecole polytechnique
<http://www.lix.polytechnique.fr>
[email protected]
Le 23/10/2023 à 15:37, Rob Crittenden a écrit :
Frederic Ayrault wrote:
Bonjour,
Le 18/10/2023 à 19:43, Rob Crittenden via FreeIPA-users a écrit :
# getcert request -d /etc/httpd/alias -n Server-Cert -p
/etc/httpd/alias/pwdfile.txt -D <IPA FQDN> -K HTTP/<IPA FQDN> -C
/usr/libexec/ipa/certmonger/restart_httpd -v -w
This command does not work
New signing request "20231020100840" added.
State NEWLY_ADDED_READING_KEYINFO, stuck: no.
State GENERATING_KEY_PAIR, stuck: no.
State GENERATING_CSR, stuck: no.
State NEED_CA, stuck: yes.
if I understand correctly this is because pki-tomcatd Service is stopped
If the CA isn't running then there is no way to replace the certs.
when I do a ipactl restart, I get a lot of errors
SEVERE: Servlet.service() for servlet [caGetStatus] in context with
path [/ca] threw exception
java.io.IOException: CS server is not ready to serve.
On startup ipactl checks the CA status to see what is going on and times
out after IIRC 300 seconds.
You'll need to dig into the PKI logs to see why it isn't starting.
rob
Thank you
Regards,
Frederic
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
