[Freeipa-users] Certificate Woes
Rob Crittenden
rcritten at redhat.com
Fri Mar 28 21:33:13 UTC 2014
Matt Chesler wrote:
> Hi all,
>
> Our IPA instance started acting strangely earlier today. I restarted
> the IPA service on the primary node and things seemed to return to
> normal. Over the course of the day, we decided to add a third IPA
> server to our environment. When I attempted to perform the
> ipa-replica-prepare, I received the following error:
>
> [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your
> certificate as expired.
>
> After some additional digging, I discovered that several certs appear to
> have expired recently, despite the fact that auto-renew appears to be
> enabled. The original node no longer exists. All of the posts I seem
> to be able to find indicate that I need the CSR from the original host.
> How can I renew my IPA certs without the original master? Below is
> the scrubbed output of "getcert list".
The original node is the one configured to do the renewal. See
http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master
rob
More information about the Freeipa-users
mailing list