Hey Rob,

It's the NSSDB cert.  Here's some console output that might be helpful.

PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358
Request ID '20150827000358':
        status: MONITORING
        ca-error: Server at 
"http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit"; replied: 1: 
Server Internal Error
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=COMPANY.LOCAL
        subject: CN=IPA RA,O=COMPANY.LOCAL
        expires: 2017-08-15 20:17:52 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

As for how this happened:  We're not entirely sure yet but the working theory 
is the SRE who provisioned the new CA master didn't fully remove all references 
to the old one.  I need to track down a few more people and details in order to 
answer this fully.

As for the CA debug log.  I don't see any references to failures per se, and 
I'm wondering if there's something I can do to force an error that'll be useful 
to you.  Again, the failure I referenced earlier is a our Nagios check for 
certmonger that simply reacts to the output `getcert list` returns.  Versions 
of this are all I see in the debug logs.

[08/Aug/2017:15:39:31][TP-Processor9]: CMSServlet: curDate=Tue Aug 08 15:39:31 
UTC 2017 id=caProfileSubmitSSLClient time=62
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to