Hi Rob
thank you for your answer
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
yes, now it's Comodo
I've tried ipa-server-certinstall too but I get "The full certificate
chain is not present in ../path/my.key, ../path/my.cer The
ipa-server-certinstall command failed."
Should I try to create a chain certificate/root_ca is there a particular
order e.g. root/other_ca/cert or cert/root/other_ca?
> Is there a way to bypass this?
Go back in time as you tried.
> I've tried to set a date on the server previous than the expiring one
> of
> the cert, but I get an SASL/GSSAPI error (even if I renew admin
> ticket).
I guess make sure that your time daemon, if any, is stopped.
perhaps I'll try again stopping ntpd
thank you
regards
Stefano
Il 2022-07-28 21:28 Rob Crittenden ha scritto:
> stefano.antonelli@cnaf via FreeIPA-users wrote:
>> Dear All
>>
>> we have a three nodes FreeIPA 4.6.8 installation with third part
>> certificate (https / dirsrv). This certificate has expired and when I
>> try to follow the
>>
>> ipa-cacert-manage install ...
>> ipa-certupdate I get the error: "cannot connect to
>>
https://ipaserver/ipa/json : [SSL: CERTIFICATE_VERIFY_FAILED]
>> certificate verify failed (_ssl.c:618)"
>
Why are you running this command? Did you change the CA at the same
time? If not then ipa-server-certinstall is what you want.
>
>> I suppose that this is due to the fact that https connection is
>> blocked
>> for expired certificate which I can't renew.
>
> Yep.
>
>
> Is there a way to bypass this?
Go back in time as you tried.
> I've tried to set a date on the server previous than the expiring one
> of
> the cert, but I get an SASL/GSSAPI error (even if I renew admin
> ticket).
I guess make sure that your time daemon, if any, is stopped.
>
>> I was thinking to regenerate /etc/httpd/alias/cert8.db,key3.db with
>> new
>> cert/key but I don't know how
>
> Theoretically possible but ipa-server-certinstall should handle it for
> you. Manual is prone to error.
>
> rob