It's the NSSDB cert. Here's some console output that might be helpful.
PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358
Request ID '20150827000358':
ca-error: Server at
"http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit" replied: 1:
Server Internal Error
key pair storage:
issuer: CN=Certificate Authority,O=COMPANY.LOCAL
subject: CN=IPA RA,O=COMPANY.LOCAL
expires: 2017-08-15 20:17:52 UTC
As for how this happened: We're not entirely sure yet but the working theory
is the SRE who provisioned the new CA master didn't fully remove all references
to the old one. I need to track down a few more people and details in order to
answer this fully.
As for the CA debug log. I don't see any references to failures per se, and
I'm wondering if there's something I can do to force an error that'll be useful
to you. Again, the failure I referenced earlier is a our Nagios check for
certmonger that simply reacts to the output `getcert list` returns. Versions
of this are all I see in the debug logs.
[08/Aug/2017:15:39:31][TP-Processor9]: CMSServlet: curDate=Tue Aug 08 15:39:31
UTC 2017 id=caProfileSubmitSSLClient time=62
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org