Scott Stevson via FreeIPA-users wrote:
> Hey Rob,
> It's the NSSDB cert. Here's some console output that might be helpful.
> PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358
> Request ID '20150827000358':
> status: MONITORING
> ca-error: Server at
> "http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit" replied: 1:
> Server Internal Error
> stuck: no
> key pair storage:
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=COMPANY.LOCAL
> subject: CN=IPA RA,O=COMPANY.LOCAL
> expires: 2017-08-15 20:17:52 UTC
> key usage:
> As for how this happened: We're not entirely sure yet but the working theory
> is the SRE who provisioned the new CA master didn't fully remove all
> references to the old one. I need to track down a few more people and
> details in order to answer this fully.
> As for the CA debug log. I don't see any references to failures per se, and
> I'm wondering if there's something I can do to force an error that'll be
> useful to you. Again, the failure I referenced earlier is a our Nagios check
> for certmonger that simply reacts to the output `getcert list` returns.
> Versions of this are all I see in the debug logs.
> [08/Aug/2017:15:39:31][TP-Processor9]: CMSServlet: curDate=Tue Aug 08
> 15:39:31 UTC 2017 id=caProfileSubmitSSLClient time=62
certmonger doesn't use SRV records to lookup an IPA master. Update the
xmlrpc_server entry in /etc/ipa/default.conf to point to a working IPA
server and that should fix this for you after a certmonger restart.
There is a bug open on this we just haven't gotten to it yet.
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org