Just took the whole /etc/pki/pki-tomcat/alias folder from the backup.
Added permissions and selinux labels, and went back to Christmas.
Problem still there, renewal did not work:
ca-error: Invalid cookie: ''
From another (old) threat someone had a similar problem,
invalid cookie: '' and no "CA renewal master".
In the ldap my "first master" was the first master, but someone (me)
forgot when it was rebuild (cloned) from one of the other masters to
promote it to a "CA renewal master".
IPA CA renewal master: idm1.XXXkd.fau.de
And even the certmonger didn't know about.
getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca"
| grep post-save
'restart_pkicad' and not 'renew_ca_cert' like it should for a CA
So thanks to the Fraser's blog, I had been able find to fix the
configuration problem, restarted the pki-tomcatd,httpd and certmonger
and renewed all the expiring certificates.
Everything is working now again, weekend can come.
Thanks for all the help
On 02.02.2018 02:31, Fraser Tweedale wrote:
On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via FreeIPA-users
pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is
always invalid (expired or not valid now)
Not Before: Feb 9 12:01:11 2016 GMT
Not After : Jan 29 12:01:11 2018 GMT
Not Before: Jan 29 13:22:53 2018 GMT
Not After : Jan 19 13:22:53 2020 GMT
Can I just restore this certificate from an old backup and try to resubmit
it long before it is expiring?
Or do I have to do an ipa-restore from the old backup.
This certificate is also already replicated to the replicas.
Sure. Backup the certificate and key using `pk12util' first. (Or
just make a copy the whole NSSDB) Then delete the certificate from
the NSSDB using `certutil -D`. (I think this will leave they key in
place). Then add the older certificate that will be valid according
to the system time. Then Dogtag should start, and you should be able
to continue recovering the system.
Institute of Materials Simulation (WW8)
Department of Materials Science
90762 Fürth, Germany
FreeIPA-users mailing list -- firstname.lastname@example.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org