Hi,
on the ipa.dom.loc server, the following certs are expired:
- auditSigningCert cert-pki-ca (2024-12-01) - ocspSigningCert cert-pki-ca (2024-12-01) - subsystemCert cert-pki-ca (2024-12-01) - ipaCert (2024-12-01) - Server-Cert cert-pki-ca (2024-12-01)
on the ipa2.dom.loc server, the following certs are expired:
- auditSigningCert cert-pki-ca (2024-11-19) - ocspSigningCert cert-pki-ca (2024-11-19) - subsystemCert cert-pki-ca (2024-11-19) - ipaCert (2024-11-19)
If both masters are part of the same topology, there clearly is an issue as the certs (except Server-Cert cert-pki-ca) should be identical on both machines. Are they replicating to each other?
You need to find the CA renewal master: # kinit admin # ipa config-show
Then start by repairing this server. You can follow https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html-sin...
HTH, flo
On Mon, Dec 9, 2024 at 6:25 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
Hello Rob. is there enough information? -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue