[Freeipa-devel] certificate renewal

[Rob Crittenden]

Vaede, Roger (Contractor) wrote:
> I did try to replace the certificate with a self signed one at one point but then I was getting an error saying the certificate wasn't valid.

Ok, I need to get a better handle on how this was originally installed 
in order to guide you. Can you look to see if 
/var/log/ipaserver-install.log still exists? It should have the original 
arguments passed.

What I need to know is if this was installed using a dogtag CA or if it 
was installed as a selfsign server.

rob

>
> Regards
> Roger
>
> -----Original Message-----
> From: Vaede, Roger (Contractor)
> Sent: Wednesday, October 30, 2013 2:37 PM
> To: 'Rob Crittenden'; 'freeipa-devel at redhat.com'
> Subject: RE: [Freeipa-devel] certificate renewal
>
> I never installed freeipa, the person that installed it left the company.
> I removed the request ID at one point by using the stop-tracking command then I used this command to reinstate them:
> ipa-getcert start-tracking  -d  /var/lib/pki-ca/alias -n ServerCert -r
>
> Initially they expired around October 25th.
>
> Regards
> Roger
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, October 30, 2013 2:30 PM
> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
> Subject: Re: [Freeipa-devel] certificate renewal
>
> Vaede, Roger (Contractor) wrote:
>> I have two IPA servers, one primary and one is backup.  (Redhat 5)
>
> What version of ipa-server is this?
>
>> The primary servers certificate has expired.
>>
>> I am not able to renew it.
>>
>> I turned off the ssl on the clients and now the users can login.
>>
>> I did a lot of research on certificate renewal and I am lost at this point.
>>
>> I am able to make changes using the backup IPA server.
>
> This getcert output is quite strange. Did you start these tracking yourself?
>
> Did you replace the IPA CA certificate at some point?
>
> rob
>
>