On Fri, Feb 02, 2018 at 01:35:38PM +0100, Christof Schulze via FreeIPA-users wrote: > Hi, > > Problem solved. > > Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added > permissions and selinux labels, and went back to Christmas. > > Problem still there, renewal did not work: > > ca-error: Invalid cookie: '' > > From another (old) threat someone had a similar problem, > invalid cookie: '' and no "CA renewal master". > > In the ldap my "first master" was the first master, but someone (me) forgot > when it was rebuild (cloned) from one of the other masters to promote it to > a "CA renewal master". > > ipa config-show > ... > IPA CA renewal master: idm1.XXXkd.fau.de > > but > > ca.crl.MasterCRL.enableCRLUpdates=false > ca.crl.MasterCRL.enableCRLCache=false > > And even the certmonger didn't know about. > > getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" | > grep post-save > > 'restart_pkicad' and not 'renew_ca_cert' like it should for a CA renewal > master. > > So thanks to the Fraser's blog, I had been able find to fix the > configuration problem, restarted the pki-tomcatd,httpd and certmonger and > renewed all the expiring certificates. > > Everything is working now again, weekend can come. > Glad we were able to help. I hope you had a nice, stress-free weekend :)
Cheers, Fraser > > Thanks for all the help > > > On 02.02.2018 02:31, Fraser Tweedale wrote: > > On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via > > FreeIPA-users wrote: > > > > > > pki-tomcatd does not start because the 'auditSigningCert cert-pki-ca' is > > > always invalid (expired or not valid now) > > > > > > Old one > > > Not Before: Feb 9 12:01:11 2016 GMT > > > Not After : Jan 29 12:01:11 2018 GMT > > > > > > New one > > > Not Before: Jan 29 13:22:53 2018 GMT > > > Not After : Jan 19 13:22:53 2020 GMT > > > > > > Can I just restore this certificate from an old backup and try to resubmit > > > it long before it is expiring? > > > > > > Or do I have to do an ipa-restore from the old backup. > > > > > > This certificate is also already replicated to the replicas. > > > > > Sure. Backup the certificate and key using `pk12util' first. (Or > > just make a copy the whole NSSDB) Then delete the certificate from > > the NSSDB using `certutil -D`. (I think this will leave they key in > > place). Then add the older certificate that will be valid according > > to the system time. Then Dogtag should start, and you should be able > > to continue recovering the system. > > > > HTH, > > Fraser > > -- > Christof Schulze > > Institute of Materials Simulation (WW8) > Department of Materials Science > Friedrich-Alexander-University Erlangen-Nürnberg > Dr.-Mack-Str. 77, > 90762 Fürth, Germany > > Tel: 0911/65078-65069 > Email: christof.schu...@ww.uni-erlangen.de > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org