[Freeipa-users] Ipa replica cannot gen as cert expire which folder I should replace new cert???

barrykfl at gmail.com barrykfl at gmail.com
Thu May 26 03:44:39 UTC 2016 

externaly signed CA - Godaddy Exppired.

Already add new to db /etc/https/alias / -L  and config nickname map in
/etc/http/config.d/nss.conf
Already Import to /etc/slapd/PKI-IPA ...where nickname I should point to?
Alreasy change /etc/dirsrv/slapd-ABC-COM and nickname map in dse.ldif

Start stop IPA no cert issue . but server ipa prepare fail.

IPA replica still say cert expiry , any where I missed ?


Thanks


2016-05-25 19:30 GMT+08:00 Martin Basti <mbasti at redhat.com>:

>
>
> On 25.05.2016 04:36, Barry wrote:
>
> Hi:
>
> Which location i should renew cert?
> Http/alias
> Etc/dirsrv/slapd*
>
> Enough?
>
>
> We need to know if you have IPA configured with
> * externaly signed CA
> * or selfsigned CA
> * or if you have any other certificates from different CAs
>
> If I remember correctly you wrote in one email that you have a certificate
> from godaddy, which certificate?
>
> In case you have self signed CA certificate you should follow:
> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
>
> Martin
>
> 2016年5月24日 下午10:01 於 "Rob Crittenden" <rcritten at redhat.com> 寫道:
>
>> barrykfl at gmail.com wrote:
>>
>>> hi all:
>>>
>>>
>>> Thx ad title
>>>
>>> ipa         : ERROR    cert validation failed for "CN=server.abc.com
>>> <http://server.abc.com>,O=WISER S.COM <http://S.COM>"
>>> ((SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.)
>>> preparation of replica failed: cannot connect to
>>> 'https://server.ABC.com:944          4/ca/ee/ca/profileSubmitSSLClient':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certi          ficate has expired.
>>> cannot connect to
>>> 'https://server.ABC.com:9444/ca/ee/ca/profileSubmitSSLClie          nt':
>>> (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.
>>>
>>
>> The root of all your problems is that your certificates are expired.
>> Fixing this should be your priority. This is probably going to involve
>> going back in time to when the certificates are still valid, restarting
>> IPA, restarting certmonger and waiting for things to properly renew. It can
>> take some time as the certificates don't all renew at once.
>>
>> I suspect that once renewed and returned to current time the rest of your
>> problems will, for the most part, go away.
>>
>> rob
>>
>
>
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160526/13a9487a/attachment.htm>

More information about the Freeipa-users mailing list