Hi, First of all, sorry about my english. I'm not native speaker of this language.
I'm having problems to renew the certificates for two servers we have with freeipa (master and replica). The previous certificates were expired in 29 may 2025. We created a new LE certificates that gives a next suite of certificates: cert.pem chain.pem fullchain.pem privkey.pem That certificates apparently are right (they expired date is on 01 september of 2025) But when I try to install them in the freeipa infrastructure, using this commands: ipa-cacert-manage install -t C,, /root/certs/xxxx.xxx/chain.pem ipa-certupdate ipa-server-certinstall -w -d /root/certs/xxxx.xxx/privkey.pem /root/certs/xxxx.xxx/fullchain.pem --pin='xxx' -p "xxx" the ipa-certupdate command gives me an error: Connection to https://xxxxxxx.xxxx.xxx/ipa/json failed with [SSL: CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has expired (_ssl.c:1133) Also, I can see in ipactl status that pki-tomcatd is stopped (The pki logs gives me an error of expired cert): Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING pki-tomcatd Service: STOPPED ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING 1 service(s) are not running And using certutil I can see: certutil -L -d /etc/dirsrv/slapd-XXXX-XXX/ -n "CN=xxxx.xxx" Validity: Not Before: Fri Feb 28 23:02:34 2025 Not After : Thu May 29 23:02:33 2025 The basic infraestructure is on Almalinux 9: NAME="AlmaLinux" VERSION="9.5 (Teal Serval)" ID="almalinux" ID_LIKE="rhel centos fedora" VERSION_ID="9.5" PLATFORM_ID="platform:el9" PRETTY_NAME="AlmaLinux 9.5 (Teal Serval)" ANSI_COLOR="0;34" LOGO="fedora-logo-icon" CPE_NAME="cpe:/o:almalinux:almalinux:9::baseos" HOME_URL="https://almalinux.org/" DOCUMENTATION_URL="https://wiki.almalinux.org/" BUG_REPORT_URL="https://bugs.almalinux.org/" ALMALINUX_MANTISBT_PROJECT="AlmaLinux-9" ALMALINUX_MANTISBT_PROJECT_VERSION="9.5" REDHAT_SUPPORT_PRODUCT="AlmaLinux" REDHAT_SUPPORT_PRODUCT_VERSION="9.5" SUPPORT_END=2032-06-01 I tried several solution found on googling (like set time before expiring "original" certs) but nothing nothing works. I appreciate any support you can provide on this -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
