If you use third party certificates then you are responsible for replacing them before expiration. They are not tracked by certmonger.
If you're lucky the certificate chain hasn't changed. The Apache cert is easiest to replace. I'd recommend backing up the existing private key and certificate, then put them one one in /var/lib/ipa/certs/httpd.crt and /var/lib/ipa/private/httpd.key respectively. If you didn't generate a new private key then that can be skipped. Restart Apache and see if that did the trick by running ipa ping. If you generated a new private key then replacing the 389-ds cert is a bit more complex. Let's assume you just got a new cert for now. Stop 389-ds first. grep nsSSLPersonalitySSL /etc/dirsrv/slapd-YOUR-REALM certutil -L -d /etc/dirsrv/slapd-YOUR-REALM -n <the value returned> -a > /path/to/save/me certutil -D -d /etc/dirsrv/slapd-YOUR-REALM -n <the value returned> certutil -A -d /etc/dirsrv/slapd-YOUR-REALM -n <the value returned> -t u,u,u -a -i /path/to/updated/certificate.pem Restart 389-ds. If you generated a private new key let us know and we'll let you know what to do. If the issuing chain changed that also complicates things. rob Z Altzibar via FreeIPA-users wrote: > getcert list > Number of certificates and requests being tracked: 7. > Request ID '20241125032104': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXX.XXX > subject: CN=IPA RA,O=XXXX.XXX > issued: 2023-09-06 15:45:03 CEST > expires: 2025-08-26 15:45:03 CEST > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20241125032105': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXX.XXX > subject: CN=CA Audit,O=XXXX.XXX > issued: 2023-09-06 15:45:49 CEST > expires: 2025-08-26 15:45:49 CEST > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20241125032106': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXX.XXX > subject: CN=OCSP Subsystem,O=XXXX.XXX > issued: 2023-09-06 15:46:10 CEST > expires: 2025-08-26 15:46:10 CEST > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20241125032107': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXX.XXX > subject: CN=CA Subsystem,O=XXXX.XXX > issued: 2023-09-06 15:45:19 CEST > expires: 2025-08-26 15:45:19 CEST > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20241125032108': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXX.XXX > subject: CN=Certificate Authority,O=XXXX.XXX > issued: 2021-10-13 16:22:25 CEST > expires: 2041-10-13 16:22:25 CEST > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20241125032109': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=XXXX.XXX > subject: CN=ipaalmasec.XXXX.XXX,O=XXXX.XXX > issued: 2024-11-25 04:20:17 CET > expires: 2026-11-15 04:20:17 CET > dns: ipaalmasec.XXXX.XXX > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20250604072910': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key',perms=0600 > certificate: > type=FILE,location='/var/kerberos/krb5kdc/kdc.crt',perms=0644 > CA: SelfSign > issuer: CN=ipaalmasec.XXXX.XXX,O=XXXX.XXX > subject: CN=ipaalmasec.XXXX.XXX,O=XXXX.XXX > issued: 2025-06-04 09:29:10 CEST > expires: 2026-06-04 09:29:10 CEST > dns: ipaalmasec.XXXX.XXX > principal name: krbtgt/[email protected] > certificate template/profile: KDCs_PKINIT_Certs > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
