[Freeipa-users] Certificate system unavailable
Lucas Yamanishi
lyamanishi at sesda3.com
Thu Aug 7 16:14:08 UTC 2014
Hello, I'm a bit of a pickle with the PKI system. I have three
replicas, but only one contains the CA. I realize how poor a decision
it was to do that. I plan to create more complete replicas, but right
now I can't even create a replica file, much less a full replica.
The problem started when the CA subsystem certificates expired. I read
several threads explaining how to roll back time and renew them, but I
then discovered that the host and HTTP certificates for the server were
missing. I checked for backups, but we erroneously did not cover those
files. Because they are missing I was unable to rewnew any certificates.
Is there a way to manually create host and service certificates? When I
search for this, the "manual" procedure listed in the documentation
requires `ipa cert-request` which does not work. I did try installing a
self-signed cert for HTTP with `ipa-server-certinstall`. That changed
the errors, but the commands still fail. The pki-ca services is running
OK, as far as I can tell.
I also tried adding a CA instance to one of the other replicas with
`ipa-ca-install`, but it failed during the configuration phase.
--
-----
*question everything*learn something*answer nothing*
------------
Lucas Yamanishi
------------------
Systems Administrator, ADNET Systems, Inc.
NASA Space and Earth Science Data Analysis (606.9)
7515 Mission Drive, Suite A100
Lanham, MD 20706 * 301-352-4646 * 0xD354B2CB
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140807/54a8a2e0/attachment.htm>
More information about the Freeipa-users
mailing list