Incorrect trust attributes are applied to auto-renewed IPA subsystem certificates

Solution Verified - Updated 2015-02-08T02:36:10+00:00 -

Issue

After the date at which the IPA subsystem certificates should have been automatically renewed by certmonger, the Directory Server and Apache certificates are still expired. When the 'ipa getcert-list' command is used to view the status of the tracked certificates, the following error message is displayed:

    status: CA_UNREACHABLE
    ca-error: Server failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction.  Peer certificate cannot be authenticated with known CA certificates).
    stuck: yes

Environment

Red Hat Enterprise Linux 6.5 and earlier
ipa-server-3.x
certmonger-0.61-3 and earlier

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

New to Red Hat?

Learn more about Red Hat subscriptions

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.

Log in to Your Red Hat Account

Red Hat Account

Customer Portal

Select Your Language

Infrastructure and Management

Cloud Computing

Storage

JBoss Development and Management

JBoss Integration and Automation

Mobile

Services

Tools

Red Hat Product Security Center

Security Updates

Resources

Customer Portal Community

Customer Events

Stories