Hi,

Problem solved.

Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added permissions and selinux labels, and went back to Christmas.

Problem still there, renewal did not work:

  ca-error: Invalid cookie: ''

From another (old) threat someone had a similar problem,
   invalid cookie: '' and no "CA renewal master".

In the ldap my "first master" was the first master, but someone (me) forgot when it was rebuild (cloned) from one of the other masters to promote it to a "CA renewal master".
        
  ipa config-show
      ...
  IPA CA renewal master: idm1.XXXkd.fau.de

  but

  ca.crl.MasterCRL.enableCRLUpdates=false
  ca.crl.MasterCRL.enableCRLCache=false

And even the certmonger didn't know about.

getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | grep post-save

'restart_pkicad' and not 'renew_ca_cert' like it should for a CA renewal master.

So thanks to the Fraser's blog, I had been able find to fix the configuration problem, restarted the pki-tomcatd,httpd and certmonger and renewed all the expiring certificates.

Everything is working now again, weekend can come.


Thanks for all the help


On 02.02.2018 02:31, Fraser Tweedale wrote:
On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via FreeIPA-users 
wrote:

pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is
always invalid (expired or not valid now)

        Old one
             Not Before: Feb  9 12:01:11 2016 GMT
             Not After : Jan 29 12:01:11 2018 GMT

        New one
             Not Before: Jan 29 13:22:53 2018 GMT
             Not After : Jan 19 13:22:53 2020 GMT

Can I just restore this certificate from an old backup and try to resubmit
it long before it is expiring?

Or do I have to do an ipa-restore from the old backup.

This certificate is also already replicated to the replicas.

Sure.  Backup the certificate and key using `pk12util' first.  (Or
just make a copy the whole NSSDB)  Then delete the certificate from
the NSSDB using `certutil -D`.  (I think this will leave they key in
place).  Then add the older certificate that will be valid according
to the system time. Then Dogtag should start, and you should be able
to continue recovering the system.

HTH,
Fraser

--
Christof Schulze

Institute of Materials Simulation (WW8)
Department of Materials Science
Friedrich-Alexander-University Erlangen-Nürnberg
Dr.-Mack-Str. 77,
90762 Fürth, Germany

Tel: 0911/65078-65069
Email: christof.schu...@ww.uni-erlangen.de
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to