So, I did alot of reading after noticing that one of my IPA servers was not starting correctly. I was working from the guide here:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ (Honestly, THANK YOU to the people contributing to that guide because it really has been helpful) I didn't get very far down the guide before testing my NSSDB password and noticing that it does NOT appear to work. I have no idea how that may have happened or when but this obviously puts me in a weird spot with this particular server. [root@XXXX-prod-ipaXX ca]# cat /var/lib/pki/pki-tomcat/conf/password.conf | grep internal internal=<numericstuffs> I tried using the password there to open the /etc/pki/pki-tomcat/alias NSS DB with no success. Though, I think my problem is something else. I get the following error: ---- [root@XXXXX-prod-ipaXX alias]# certutil -K -d /etc/pki/pki-tomcat/alias -n -r /tmp/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" Enter Password or Pin for "NSS Certificate DB": certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. ---- I'm just getting into this, but I feel like MAYBE this is part of my problem. If anyone has any ideas here, I'd be grateful for the help! ADDED NOTE: I actually notice that I have this same issue on BOTH IPA servers which makes me ever more nervous about the situation. ---- [root@XXXXX-prod-ipaXx ~]# sudo certutil -K -d /etc/pki/pki-tomcat/alias -f /tmp/pwdfile.txt -n 'subsystemCert cert-pki-ca' certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID: Unrecognized Object Identifier. ---- Any thoughts? Many thanks in advance! -- Chris _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org