2:13 p.m.
Thanks in advance for your replies.. I've spent 7 hours looking through posts here and
trying everything... I'm stuck.
Background: I am a System Administrator in a closed, classified environment.
Unfortunately, I cannot post logging here, but I can refer to them as needed.
I inherited this system from someone who departed the program a year or so ago. Fast
forward to today, the server certs expired yesterday. Admittedly, I'm unfamiliar (or
was) with the certificate update process for IPA servers. On a typical server, we replace
the old cert and restart the httpd services; however, I realize this cannot work with IPA
servers now.
Additionally to all of this, the CA chain updated 6 months ago.
I ran ipa-cacert-manage to update the CA chain. When trying to run ipa-certupdate, I
received errors for an invalid server certificate (it expired on 11 April 2023). It simply
won't connect to the web server. HTTPD failed as well, so I had to add
"NSSEnforceValidCerts off" to the nss.conf file for HTTPD to start. Still, no
dice.
I've ran ipa-server-certinstall for the new cert/key as well, and it fails saying its
not trusted ("Peer's certificate issuer is not trusted [certutil: certificate is
invalid: Peer's Certificate issuer is not recognized] Please run ipa-cacert-manage
install and ipa-certupdate to install the CA certificate.... which, as reported above,
can't complete.
I'm at a total loss here... and really struggling being new to all this and trying my
best to keep it afloat. Any help would be GREATLY appreciated!