Sorry for delayed reply. I was on leave for a few weeks.
Glad you reached a happy outcome.
It seems irrelevant now but FWIW I was not able to access the files
on Google Drive.
On Wed, Sep 12, 2018 at 11:50:44AM +0200, Wim Vinckier via FreeIPA-users wrote:
We decided to follow this guide and just replace the certificate of the
webserver and ldap:
did what wanted to do, for now. Maybe we will switch the CA later on.
On Wed, 5 Sep 2018 at 17:30, Wim Vinckier <wimpunk(a)gmail.com> wrote:
> You can find the files at
> Kind regards,
> Wim Vinckier.
> On Mon, 3 Sep 2018 at 07:42, Wim Vinckier <wimpunk(a)gmail.com> wrote:
>> Hi Fraser,
>> We did use the command twice. Once to generate the CSR and a second time
>> to to supply the new certificates.
>> I'll check with our security agent if I may supply the certificates.
>> afraid I may not supply them because of the firm security policies.
>> Kind regards,
>> wim vinckier.
>> On Mon, 3 Sep 2018 at 03:17, Fraser Tweedale <ftweedal(a)redhat.com> wrote:
>>> On Fri, Aug 31, 2018 at 05:26:04PM +0200, Wim Vinckier via FreeIPA-users
>>> > Hi All,
>>> > We are using our own (selfsigned) root CA for our installations. We
>>> > started to use ipa and after exploring the possibilities we want to
>>> > to the root CA we normally use. According to  it should be done
>>> > these instruction . When we tray to renew the certificate we get
>>> > error:
>>> > [root@ipa ~]# ipa-cacert-manage renew
>>> > --external-cert-file=/root/Certificate_Authority.pem
>>> > --external-cert-file=root.cer
>>> > t
>>> > Importing the renewed CA certificate, please wait
>>> > CA certificate chain in /root/Certificate_Authority.pem, root.cert is
>>> > incomplete: missing certificate with subject 'CN=Example SCRL'
>>> > The ipa-cacert-manage command failed.
>>> > When we check the subject of the file, it seems to be correct to me:
>>> > [root@ipa ~]# openssl x509 -noout -subject -in /root/root.cert
>>> > subject= /CN=Example SCRL
>>> > Is there anyone who can help me with this?
>>> > Kind regards,
>>> > wim vinckier.
>>> Dear Wim,
>>> Did you first run `ipa-cacert-manage renew --external-ca` to
>>> generate the CSR for submission to the new CA. Then you invoke
>>> `ipa-cacert-manage renew` a second time, supplying the new IPA CA
>>> certificate and superior CA certificate(s) via the
>>> `--external-cert-file` option.
>>> If you did these steps, then please convey your certificates so we
>>> can inspect them and determine what the problem is.
>> I would love to change the world, but they wont give me the source code.
> I would love to change the world, but they wont give me the source code.
I would love to change the world, but they wont give me the source code.
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines