Ian Kumlien via FreeIPA-users wrote:
Hi,
I've been confused by this a while... But from talking to people on
#freeipa@freenode this might be the real issue:
certutil -d /etc/pki/pki-tomcat/alias/ -L |grep cert-pki-ca
Server-Cert cert-pki-ca u,u,u
---
I have been trying ipa-.cert-fix, which seems to look at most
certificates but not these.
Also:
ipa-cacert-manage renew
'NoneType' object has no attribute 'is_self_signed'
The ipa-cacert-manage command failed.
You absolutely do NOT want this. This renews the CA certificate, NOT the
subsystem certificates. Doing this this will only add to the confusion.
That said it shouldn't error out in this way.
Running:
b3a160b70566ba1703a184f07b493246630829a8
From ipa-4.7
(Needed ipa-cert-fix)
Any clues of how to proceed, I'm still trying to understand this thing =)
I still don't know what isn't working. We need:
- the output of getcert list
- the CA debug log (or the last bit from startup to failure).
- certutil -L -d /etc/pki/pki-tomcat/alias/ might be handy too
rob