[Freeipa-users] Recovering from messed-up certs

[Eric McCoy]

Some nicknames changed to protect the innocent.  The puppetmaster/hostname
cert is nominally unrelated, though its creation was contemporaneous with
the disappearance of server-cert so I can't entirely rule it out.

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

puppetmaster/hostname                     u,u,u
REALMNAME IPA CA                                             CT,C,C
ipaCert                                                      u,u,u
Signing-Cert                                                 u,u,u


On Thu, Oct 23, 2014 at 12:53 PM, Rob Crittenden <rcritten at redhat.com>
wrote:

> Eric McCoy wrote:
> > Hi all,
> >
> > I somehow destroyed my primary IPA server's Server-Cert in
> > /etc/httpd/alias.  I don't understand how or why it happened, all I know
> > is that I went to restart Apache and it was gone.  Apache won't start,
> > of course, because the cert is missing.  I can't issue a new cert on the
> > primary because Apache is down.  I tried using the secondary, but it
> > fails saying that it can't connect to the web server on the primary
> > (it's the same error message I get when I try to issue a cert from the
> > primary).  I can't figure out how to tell ipa-getcert et al. to talk to
> > the secondary and not the primary.  I'm not using DNS for service
> > discovery, so I'm not sure how the various tools figure out where things
> > are.
> >
> > This is all on CentOS 6.5 with IPA 3.0.0-37.
> >
> >
>
> What certs do you have in the database?
>
> # certutil -L -d /etc/httpd/alias
>
> rob
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20141023/f853ee45/attachment.htm>