"ipa-cert-fix" doesn't work.
So I checked expire date and changed date to about 1 mounth before.
First, make sure that the machine where you are running the commands is the CA renewal master:
# ipa config-show | grep renew
IPA CA renewal master: server.ipa.test
The command ipa config-mod --ca-renewal-master-server=STR can be used to set the machine as renewal master.
You need to carefully pick a date where all the certs are valid.
For the certificates in an NSS database, you can find the dates using
# certutil -L -d /path/to/NSSdatabase -n certnickname | grep -E 'Not Before|Not After'
For instance:
# certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'ocspSigningCert cert-pki-ca' | grep -E 'Not Before|Not After'
Not Before: Thu Dec 14 15:55:20 2023
Not After : Wed Dec 03 15:55:20 2025
Then you need to find a date that fits before/after for all the certificates. Move back to that date, restart the services (don't restart ntpd or chronyd as it would bring you back to the current date), and call getcert resubmit for one certificate at a time. If there are any errors, they will be displayed in the journal.
HTH,
flo
But updated only 2 last certs.
How can I fix the others?
What's wrong with this CA? Maybe I should change it to other one some how?
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue