Scott Stevson via FreeIPA-users wrote:
Hey Rob,
You may recall earlier when I said that we wound up pulling an expired cert on one of our
staging IPA replicas after updating the xmlrpc_server variable to point to a different
host. It's not clear to us how best to fix that cert (although I suppose we could
roll back time on the box), so we're wondering if we can update the certificate using
openssl and then adding the entry using something like this:
certutil -A -d /etc/httpd/alias -n 'ipaCert' -t u,u,u -a -i
/root/renew/new_ipaCert.crt
Thoughts? We don't need to go this route but we're gaming out recovery/alternate
solutions in the event our efforts to fix prod fail.
I'm on IRC now if responses there would be faster or easier for you.
I was with you until you mentioned openssl. The current cert should
already exist on the current IPA CA renewal master. You can export the
cert from there with:
certutil -L -d /etc/httpd/alias -n ipaCert -a > /path/to/somewhere
Then use the certutil command you mentioned to import it.
Once imported restart httpd and I'd confirm that the master can talk to
the CA by running:
ipa cert-show 1
The actual contents of the cert don't matter but this will show that
end-to-end connectivity is there and that the master has the right RA cert.
rob