Yeah. I definitely lost on this one at this point. As far as I can tell, SOMEHOW I'm missing these certs in the directory? Does that sound right?
How would one go about making sure is corrected? I'm guess I'd need to regenerate some type of certificate on the IPA host, but I'm afraid of breaking things worse. I have one more day before this one expires, so I'm trying to troubleshoot and fix it before then. This all started when I noticed that another IPA server/replica failed to restart. I think these two issues are related, but right now, my users are functional with just the 'ipa01' system (which has this ca-error' issue and the cert not found. I'm afraid to restart anything on that system because of that. I'm still reading and trying to understand and put the pieces together, however I'm worried about this issue. Anyway, if anyone has any thoughts or tips here, I'd really appreciate it as I feel lost at this exact moment. On Tue, Dec 4, 2018 at 2:33 PM Christopher Young <mexigaba...@gmail.com> wrote: > > IPA 4.5.4 (has been upgraded for years just to understand that there > is a history) > This system (ipa01) is the renewal master (in case that matters) > > I'm getting the following error on 'getcert'. My gut tells me this is > kinda a big deal. :) I really could use some help figuring this one > out as I'm not the most CA-versed. I have been learning quite a bit > reading some of the blogs, but there's definitely alot of ignorance of > the details on my part. > > The error: > ----------- > [root@orldc-prod-ipa01 log]# getcert list | grep -A12 -B1 error > status: MONITORING > ca-error: Server at > "http://orldc-prod-ipa01.passur.local:8080/ca/ee/ca/profileSubmit"; > replied: Record not found > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=PASSUR.LOCAL > subject: CN=orldc-prod-ipa01.passur.local,O=PASSUR.LOCAL > expires: 2018-12-06 21:43:50 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > ----------- > > > If I look at the cert referenced locally in the NSS DB: > ------ > [root@orldc-prod-ipa01 log]# certutil -L -d /etc/pki/pki-tomcat/alias > -f /etc/httpd/alias/pwdfile.txt > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > Server-Cert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > subsystemCert cert-pki-ca u,u,u > ocspSigningCert cert-pki-ca u,u,u > ------ > [root@orldc-prod-ipa01 log]# certutil -L -d /etc/pki/pki-tomcat/alias > -f /etc/httpd/alias/pwdfile.txt -n 'Server-Cert cert-pki-ca' | grep > "Subject:\|Serial" > Serial Number: 268304422 (0xffe0026) > Subject: "CN=orldc-prod-ipa01.passur.local,O=PASSUR.LOCAL" > ----- > [root@orldc-prod-ipa01 log]# ipa cert-find --min-serial-number > 268304422 --max-serial-number 268304423 > ---------------------- > 0 certificates matched > ---------------------- > ----- > > I'm trying to figure out how to find this certificate. And IF somehow > it is wrong or missing, how do I fix such a scenario? > > Any help here is always appreciated! Unfortunately, I'm running out > of time based on the expiration date I see on 'getcert'. I'm not sure > of the ramifications, but this seems pretty critical on the surface. > > Thanks again for any help and direction! > > -- Chris _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
