On 08/13/2018 04:13 PM, Tobi Berninger via FreeIPA-users wrote:
Hello,
i upgrade my centos 7.5 ipaserver to an new version and runned into a
few problems.
It seems like 'subsystemCert cert-pki-ca' is expired nearly a month ago
(jul 22) and i am not sure how to renew it.
When i run the ipa-server-upgrade manual, i run into a error with the ca
certificates and in the log i found that line:
Internal Database Error encountered: Could not connect to LDAP server
host ipababy.int.asta-frankfurt.de
<
http://ipababy.int.asta-frankfurt.de> port 636 Error
netscape.ldap.LDAPException: Unable to create socket:
org.mozilla.jss.ssl.SSLSocketException:
org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed:
(-8181) Peer's Certificate has expired. (-1)
When i run ipactl start, tomcatd and httpd wont start.
I allready tried to turn back time, but i dont know how to manual start
pki-tomcatd or any other way to renew the certificates.
Or do i look in the wrong diection the whole time?
Thank u all for ur help
The recovery steps are described in
https://access.redhat.com/solutions/3357261 How do I manually renew
Identity Management (IPA) certificates on RHEL7 after they have expired?
(Master IPA Server) and involve going back in time as you tried.
pki-tomcatd is normally started using ipactl start. When one of the
processes launched through ipactl fails to start, you can use ipactl
start --ignore-service-failures, so that the other processes stay up.
pki-tomcatd can be started individually using systemctl start
pki-tomcatd@pki-tomcat. But in your case, you will need to restart
certmonger to trigger the certificate renewal.
HTH,
flo
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...