Sean McLennan via FreeIPA-users wrote:
I've have expected the traceback to change at least. Can you provide the latest?
I've already reverted it and I didn't specifically copy them. Because the older versions were not available in my repos, I had to install them with pip and to be sure that ipa was using the right one, I moved the distro's version and linked the old one.
I probably still have the tracebacks somewhere in my log files, but I'm not sure how I would distinguish which is which...
At this point, I'm not seeing a work around to fix this. What are my options here? Rebuilding from scratch on a better distro? Is there a way to migrate content?
The traceback you provided earlier is very confusing. The line numbers don't line up with the upstream release-4-6-9 tag so I can't quite tell where it's failing.
It looks like it's failing to get the SAN from the CSR to ensure you are only requesting valid values. Which means the cert wouldn't have been renewed yet, but you mentioned that there are a whole ton of already issued certs.
And some of other failures are completely unrelated to this since they renew directly against the CA.
A kludge that might work is to setup a CentOS 7 build as a new replica with a CA while time is forced in the past. If the new server comes up ok follow the downstream RHEL docs to make it the renewal master and see if you can get the certs to renew.
rob