[Freeipa-users] Recovering from messed-up certs
Eric McCoy
ctr2sprt at gmail.com
Thu Oct 23 18:03:07 UTC 2014
Some nicknames changed to protect the innocent. The puppetmaster/hostname
cert is nominally unrelated, though its creation was contemporaneous with
the disappearance of server-cert so I can't entirely rule it out.
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
puppetmaster/hostname u,u,u
REALMNAME IPA CA CT,C,C
ipaCert u,u,u
Signing-Cert u,u,u
On Thu, Oct 23, 2014 at 12:53 PM, Rob Crittenden <rcritten at redhat.com>
wrote:
> Eric McCoy wrote:
> > Hi all,
> >
> > I somehow destroyed my primary IPA server's Server-Cert in
> > /etc/httpd/alias. I don't understand how or why it happened, all I know
> > is that I went to restart Apache and it was gone. Apache won't start,
> > of course, because the cert is missing. I can't issue a new cert on the
> > primary because Apache is down. I tried using the secondary, but it
> > fails saying that it can't connect to the web server on the primary
> > (it's the same error message I get when I try to issue a cert from the
> > primary). I can't figure out how to tell ipa-getcert et al. to talk to
> > the secondary and not the primary. I'm not using DNS for service
> > discovery, so I'm not sure how the various tools figure out where things
> > are.
> >
> > This is all on CentOS 6.5 with IPA 3.0.0-37.
> >
> >
>
> What certs do you have in the database?
>
> # certutil -L -d /etc/httpd/alias
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141023/f853ee45/attachment.htm>
More information about the Freeipa-users
mailing list