[Freeipa-users] Certificate format error: [Errno -8018]
Rob Crittenden
rcritten at redhat.com
Thu Jan 30 02:22:35 UTC 2014
craig.freeipa at noboost.org wrote:
> Well progress :) just not quite fully fixed, seems three certificates have updated just not the others yet. Do I need to "tell them to update", or let the server roll over until it hits Jan 14?
>
> Server: Red Hat Enterprise Linux Server release 6.5 (Santiago)
> ipa-server-3.0.0-37.el6.x86_64
> ipa-client-3.0.0-37.el6.x86_64
> ---
> ~/Scripts>date
> Sat Jan 11 19:29:02 EST 2014
> ---
> ~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
> Not After : Fri Jan 01 07:44:45 2016
> ---
> Ran script:
> for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
> do
> echo $nickname
> certutil -L -d /var/lib/pki-ca/alias -n "${nickname}" | grep -i after
> done
>
> ---
> auditSigningCert cert-pki-ca
> Not After : Thu Jul 10 07:45:42 2014
> Not After : Tue Jan 14 06:45:05 2014
> ocspSigningCert cert-pki-ca
> Not After : Fri Jan 01 07:44:43 2016
> subsystemCert cert-pki-ca
> Not After : Fri Jan 01 07:44:44 2016
> Server-Cert cert-pki-ca
> Not After : Tue Jan 14 06:45:05 2014
> ---
>
> The apache cert did update which is good!
> ~/Scripts>certutil -L -d /etc/httpd/alias -n ipaCert | grep After
> Not After : Fri Jan 01 07:44:45 2016
>
> cya
>
> Craig
>
For those not yet renewed I'd do a getcert list to find them and getcert
resubmit -i <id> to force renewal.
The CA won't start without a valid audit cert.
rob
More information about the Freeipa-users
mailing list