[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

Martin Basti mbasti at redhat.com
Wed May 25 11:30:35 UTC 2016 


On 25.05.2016 04:36, Barry wrote:
>
> Hi:
>
> Which location i should renew cert?
> Http/alias
> Etc/dirsrv/slapd*
>
> Enough?
>

We need to know if you have IPA configured with
* externaly signed CA
* or selfsigned CA
* or if you have any other certificates from different CAs

If I remember correctly you wrote in one email that you have a 
certificate from godaddy, which certificate?

In case you have self signed CA certificate you should follow: 
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal

Martin
> 2016年5月24日 下午10:01 於 "Rob Crittenden" <rcritten at redhat.com 
> <mailto:rcritten at redhat.com>> 寫道:
>
>     barrykfl at gmail.com <mailto:barrykfl at gmail.com> wrote:
>
>         hi all:
>
>
>         Thx ad title
>
>         ipa         : ERROR    cert validation failed for
>         "CN=server.abc.com <http://server.abc.com>
>         <http://server.abc.com>,O=WISER S.COM <http://S.COM>
>         <http://S.COM>"
>         ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>         preparation of replica failed: cannot connect to
>         'https://server.ABC.com:944        
>         4/ca/ee/ca/profileSubmitSSLClient':
>         (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi          ficate
>         has expired.
>         cannot connect to
>         'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie    
>             nt':
>         (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>
>
>     The root of all your problems is that your certificates are
>     expired. Fixing this should be your priority. This is probably
>     going to involve going back in time to when the certificates are
>     still valid, restarting IPA, restarting certmonger and waiting for
>     things to properly renew. It can take some time as the
>     certificates don't all renew at once.
>
>     I suspect that once renewed and returned to current time the rest
>     of your problems will, for the most part, go away.
>
>     rob
>
>
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160525/b5d540ea/attachment.htm>

More information about the Freeipa-users mailing list