[Freeipa-users] Certificates not renewed
Rob Crittenden
rcritten at redhat.com
Mon Nov 25 18:21:51 UTC 2013
Thomas Sailer wrote:
> I have a few certificates that fail to be updated, for example the ldap
> and http certificates. If I read the error message from getcert list
> (see below) correctly, then the contents of the pinfiles are incorrect.
> How do I fix this?
>
> Thanks,
> Tom
>
Does this work?
# ipa cert-show 1
I'm geussing it doesn't.
The nickname ipaCert in /etc/httpd/alias is the RA agent cert used to
authenticate to dogtag when doing certificate operations. I suspect that
its value hasn't been updated in the dogtag LDAP database.
A quick way to tell is:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep -i serial
# ldapsearch -x -h localhost -p 7389 -D 'cn=directory manager' -W -b
uid=ipara,ou=People,o=ipaca description
This is assuming you've got a 2-instance installation where there is a
separate 389-ds instance for IPA and the CA. If you have a newer install
then the port isn't necessary.
If the serial number from certutil doesn't match the second
colon-separated value then that explains it.
You can see how to update this value at
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
rob
More information about the Freeipa-users
mailing list