Thanks, Rob.

Unfortunately my test in staging resulted in an expired dogtag cert.  The 
staging environment didn't have any certificates that were due to expire soon 
so I updated the xmlrpc_server variable on one of the four IPA hosts we have to 
another one in the same AWS region and restarted certmonger.  I then 
resubmitted the cert request for one of the ID's I have and suddenly a cert 
that was due to expire later this year is now expired as of 2016.

STAGING
Request ID '20170124164909':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-retrieve-agent-submit
        issuer: CN=Certificate Authority,O=COMPANY.LOCAL
        subject: CN=IPA RA,O=COMPANY.LOCAL
        expires: 2016-12-07 03:35:22 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes

And for completeness, I'm pasting the output of getcert list on prod so you can 
see the cert that's due to expire in its entirety.
PROD
Request ID '20150827000358':
        status: MONITORING
        ca-error: Server at 
"http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit"; replied: 1: 
Server Internal Error
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=COMPANY.LOCAL
        subject: CN=IPA RA,O=COMPANY.LOCAL
        expires: 2017-08-15 20:17:52 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes

Apologies if this is painful.  We appreciate the back and forth here.
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to