Hello!
We are running VERSION: 4.11.1, API_VERSION: 2.253 - We had an issue where our
mutlidomain cert (sectigo/comodo) did not renew. It expired 1/19/2025, the new
one wasn't issued until 1/26/2025.
If I disable ntp and set the system time to before the old cert expired, I
regain access to commands like ipa user-show etc. I can kinit as users, and if
i ignore the bad cert in web browser I can log in to the WebUI.
I was able to successfully run
sudo ipa-server-certinstall -d {key} {cert}
Which I guess worked because the directory manager certs weren't due to expire
until 2026? But I can not run
sudo ipa-server-certinstall -w {key} {cert}
This fails because the new cert is 'not valid before' the fake time. But if I
set it back to the proper time it fails because the old cert has expired.
And I'm not certain that I'm linking the correct cert file in trying the -k
option.
I'd seen forums mention --force as an option for ipa-server-certinstall, but it
does not appear to be an available option. Is that because our version is
older? Is there any way to emulate this option? I feel like there must be
some way to tell ipa that we don't care that the old cert is expired (or just
delete it), but I can't see any way to do so.
Not sure if related but our ipactl status shows that all services except
pki-tomcatd are running
Any suggestions would be amazing!
Thank you!
Jesse
--
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
