Evg Hertz via FreeIPA-users wrote:
how recreate CA and
directory server
http server
KDC
?
IMHO the way forward is to figure out what is wrong with your
installation. There is no replacing individual components.
The RA cert appears to be ok but it apparently is being rejected during
authentication. Can you run this to see whether the certificate has been
revoked? 7 is the serial number of the RA cert.
# pki cert-show 7
WARNING: pki cert has been deprecated. Use pki ca-cert instead.
WARNING: UNTRUSTED ISSUER encountered on
'CN=ipa.example.test,O=EXAMPLE.TEST' indicates a non-trusted CA cert
'CN=Certificate Authority,O=EXAMPLE.TEST'
Trust this certificate (y/N)? y
Serial Number: 0x7
Subject DN: CN=IPA RA,O=EXAMPLE.TEST
Issuer DN: CN=Certificate Authority,O=EXAMPLE.TEST
Status: VALID
Not Valid Before: Mon Jan 04 13:59:14 UTC 2021
Not Valid After: Sun Dec 25 13:59:14 UTC 2022
The status should be VALID.
If it is valid then I think we need to see some logs from 389 and pki to
try to find out why the auth is rejected.
rob