I am trying to renew the last certificate for the IPA masters (previous email) 
and am coming across this issue on my original IPA master (first server) 


getcert list -d /etc/httpd/alias -n "Server-Cert" 
Number of certificates and requests being tracked: 8. 
Request ID '20170428162941': 
status: CA_UNREACHABLE 
ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed request, will 
retry: 4001 (RPC failed at server. nss certificate db: user not found). 
stuck: no 
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' 
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB' 
CA: IPA 
issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM 
subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM 
expires: 2018-07-30 13:08:58 UTC 
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 
eku: id-kp-serverAuth,id-kp-clientAuth 
pre-save command: 
post-save command: /usr/libexec/ipa/certmonger/restart_httpd 
track: yes 
auto-renew: yes 

This server was 4.2.0 originally, then upgraded to 4.4.0, I tried 
https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html but 
that doesn't seem to make a difference. 

If possible, can I stop tracking and regenerate this certificate? 


All other masters (7 out of 8) did not have an issue renewing their 
certificates. 

Thanks!! 

-Jake 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to