[Freeipa-users] Re: /etc/httpd/alias not getting renewed cert

Hello all, I had an issue a short while ago with a replica which turned out to be an expired certificate which I renewed and all seemed good. Seemed... It now appears that although the certificate renewed as seen by getcert -list, it didn't update /etc/httpd/alias and so the httpd and tomcat-pki services won't start unless I set the date to before the certificate expired, and even then sometimes the httpd error_log shows: Unable to verify certificate 'Server-Cert'. Add "NSSEnforceValidCerts off" to nss.conf so the server can start until the problem can be resolved. and the service fails to start.

I've tried resubmitting the certificate, and it doesn't seem to throw an error, but it doesn't update /alias either. Trying to access the server via the web page shows the old certificate still in use. I see the same certificate error with the replica server, which was freshly rebuilt and added last week. I've doubtless dug further into the hole trying to troubleshoot this, so I probably need to start from the beginning again, and a pointer in the right direction would be a great help! A getcert list shows all the certificates expiry dates well into the future. How can I get the certs back in sync? I've found a few guides and most seem to be for earlier versions, and I'm not sure if they're still current. I can post whatever logs you think will help, I'm afraid I'm not familiar enough with them all to tell which are the most relevant. Is there a guide for the logs? Thanks for any help you can give, Thomas

_______________________________________________ FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorah...