Hey Rob, It's the NSSDB cert. Here's some console output that might be helpful.
PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 Request ID '20150827000358': status: MONITORING ca-error: Server at "http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit" replied: 1: Server Internal Error stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=COMPANY.LOCAL subject: CN=IPA RA,O=COMPANY.LOCAL expires: 2017-08-15 20:17:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment As for how this happened: We're not entirely sure yet but the working theory is the SRE who provisioned the new CA master didn't fully remove all references to the old one. I need to track down a few more people and details in order to answer this fully. As for the CA debug log. I don't see any references to failures per se, and I'm wondering if there's something I can do to force an error that'll be useful to you. Again, the failure I referenced earlier is a our Nagios check for certmonger that simply reacts to the output `getcert list` returns. Versions of this are all I see in the debug logs. [08/Aug/2017:15:39:31][TP-Processor9]: CMSServlet: curDate=Tue Aug 08 15:39:31 UTC 2017 id=caProfileSubmitSSLClient time=62 _______________________________________________ FreeIPA-users mailing list -- email@example.com To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org