So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA server:
ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial': [Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.). Figured out that it uses the certs in /var/lib/pki-ca/alias. Per https://docs.fedoraproject.org/en%2dUS/Fedora/15/html/FreeIPA_Guide/certmonger%2dtracking%2dcerts.html I tried adding it to cert monger: # ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n Server-Cert -r New tracking request "CAServerCert" added. But ipa-getcert list now tells me: Request ID 'CAServerCert': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki- ca/alias',nickname='Server-Cert' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server- Cert' CA: IPA issuer: subject: expires: unknown track: yes auto-renew: yes Okie dokie...where might I be able to find the PIN for the cert? I see that the certs for httpd and slapd have a path to a pinfile, but I can't find anything like that for the CA cert. I'm quite stuck. This expired cert, I'm pretty sure, is what is preventing me from using this machine to migrate to a new 3.0 machine (via replication). Any ideas how to get the CA cert renewed? I know how to generate a CSR and a cert, but I'm not sure 1) how I would add it into the cert DB, and 2) how I can add it without invalidating all my other certs. Any help would be fantastic! j -- Joshua J. Kugler - Fairbanks, Alaska Azariah Enterprises - Programming and Website Design [email protected] - Jabber: [email protected] PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
