Nick Polites via FreeIPA-users wrote:
UPDATE:
I have resolved the issue. The problem all stemmed from the
$getcert list
Having expired certificates. I had to startup IPA using
ipactl start --ignore-service-failures
and then issue the
getcert resubmit -i <<request id>>
One certificate came up as CA_UNREACHABLE but had a valid expiration date in the future.
I rebooted the VM and everything is working now.
Thanks for all of the help but it is concerning that these do seem to break. I have added
a login warning prior to an O/S upgrade or reboot to check that the certs are all valid.
Glad you got it working again.
You'd have to read the journal to know for sure what certmonger did or
didn't do.
ipa-cert-fix is one way to repair expired certificates.
ipa-healthcheck can be used to warn about a number of common issues with
an IPA server configureation.
rob