[Freeipa-users] pki-tomcat will not start after certificate renewal
Joseph Vandermas
fedora at josemaas.net
Thu Feb 23 18:50:18 UTC 2017
I got really busy sorry about the delay. It was a coworker who renewed our
CA cert during an upgrade from Centos 6 to Centos 7. I remember him saying
during the upgrade the CA broke and he had to mess around with it.
According to him "Pretty sure I did the walk the clock back thing, but
it's been so long I don't remember." As for pki-tomcat it certs where
renewed automatically.
I have tried the work around that was suggested on the open bug and that
did not fix my issue.
On Thu, 9 Feb 2017, Rob Crittenden wrote:
> Joseph Vandermaas wrote:
>> All
>> I have been experiencing some issues with a FreeIPA instance that I maintain. More specifically pki-tomcat has not started since around the time it’s certificate renewed. I submitted this bug report https://fedorahosted.org/freeipa/ticket/6521, however a solution has yet to be found.
>> This installation does have one instresting issue that I believe may be causing it to fail. There are two certificates under cn=EXAMPLE.COM IPA CA,cn=certificates,cn=ipa,cn=etc,dc=example,dc=com. Both of these are valid CA certificates and when I run openssl verify with ether of them as the CA and the new subsystem certificate I get an OK message. I also believe that this issue is causing me not to be able to do a ipa-certupdate on the broken IPA server. Is there a way to to clean this up, should I try renewing the CA certificate and get rid of the old LDAP entries?
>>
>
> What did you do, as exactly as you can remember, to get the certificates
> renewed?
>
> rob
>
More information about the Freeipa-users
mailing list