Incorrect trust attributes are applied to auto-renewed IPA subsystem certificates

Solution Verified - Updated -

Issue

  • After the date at which the IPA subsystem certificates should have been automatically renewed by certmonger, the Directory Server and Apache certificates are still expired. When the 'ipa getcert-list' command is used to view the status of the tracked certificates, the following error message is displayed:
    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).
    stuck: yes

Environment

  • Red Hat Enterprise Linux 6.5 and earlier
  • ipa-server-3.x
  • certmonger-0.61-3 and earlier

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content