Rob,
Here is the web certs
[root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
EXAMPLE.COM IPA CA CT,C,C
Godaddy C,,
CN=*.foo.example.com,OU=Domain Control Validated u,u,u
Signing-Cert u,u,u
Godaddy Intermediate C,,
ipaCert u,u,u
Here is the fill output of getcert and i can see some certs showing MONITORING
[root@ldap-ca-master ~]# getcert list
Number of certificates and requests being tracked: 13.
Request ID '20190915043246':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin
set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS
Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915043304':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
Intermediate',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045112':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA
CA',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM
IPA CA',token='NSS Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045148':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS
Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2037-12-31 23:59:59 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045156':
status: NEED_CA
stuck: yes
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
Certificate DB'
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Object Signing Cert,O=EXAMPLE.COM
expires: 2021-01-05 14:49:59 UTC
key usage: digitalSignature,keyCertSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190915045206':
status: NEED_KEY_PAIR
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
Intermediate',token='NSS Certificate DB'
issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
subject: CN=Go Daddy Secure Certificate Authority -
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
Inc.",L=Scottsdale,ST=Arizona,C=US
expires: 2031-05-03 07:00:00 UTC
key usage: keyCertSign,cRLSign
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20190926141756':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Audit,O=EXAMPLE.COM
expires: 2020-11-17 18:32:07 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190926141757':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=OCSP Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:26 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190926141758':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=CA Subsystem,O=EXAMPLE.COM
expires: 2020-11-17 18:31:16 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190926141759':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=Certificate Authority,O=EXAMPLE.COM
expires: 2037-01-05 14:47:24 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190926141800':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=IPA RA,O=EXAMPLE.COM
expires: 2020-11-17 18:31:36 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20190926141801':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=EXAMPLE.COM
subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
expires: 2020-11-17 18:30:29 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190926141802':
status: CA_UNCONFIGURED
ca-error: Unable to determine principal name for signing request.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert'
CA: IPA
issuer:
subject:
expires: unknown
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
track: yes
auto-renew: yes
On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden <rcrit...@redhat.com> wrote:
>
> Satish Patel wrote:
> > Addition to last email:
> >
> > I can't see Server-Cert here but interesting thing i can see
> > Server-Cert in my CA replica node on ldap-2 (why my primary
> > ldap-ca-master not showing that cert?)
> >
> > [root@ldap-ca-master ~]# /usr/bin/certutil -d
> > /etc/dirsrv/slapd-EXAMPLE-COM/ -L
> >
> > Certificate Nickname Trust
> > Attributes
> >
> > SSL,S/MIME,JAR/XPI
> >
> > EXAMPLE.COM IPA CA CT,C,C
> > Godaddy C,,
> > CN=*.foo.example.com,OU=Domain Control Validated u,u,u
> > Godaddy Intermediate C,,
>
> At some point someone replaced the IPA-signed LDAP certificate with one
> signed by GoDaddy (which is fine).
>
> It appears that the version of IPA you're using (at least) doesn't
> handle this case.
>
> Now, fortunately it's one of the last things done so this may be just fine.
>
> Can you see if your web server cert was also replaced? The database is
> /etc/httpd/alias.
>
> Also, check your current tracking. The CA subsystem certs should be
> properly tracked now. It is just the LDAP and web certs that should not
> be (and if it is still using GoDaddy that is fine).
>
> rob
>
> >
> > On Thu, Sep 26, 2019 at 10:22 AM Satish Patel <satish....@gmail.com> wrote:
> >>
> >> Rob,
> >>
> >> now i got error and here is the output, output was very long so i crop
> >> it down and here is the error piece.
> >>
> >> ipa: INFO: [Upgrading CA schema]
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing
> >> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
> >> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for
> >> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
> >> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80>
> >> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file
> >> /usr/share/pki/server/conf/schema-certProfile.ldif
> >> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF file
> >> /usr/share/pki/server/conf/schema-authority.ldif
> >> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema
> >> ipa: INFO: CA schema update complete (no changes)
> >> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity]
> >> ipa.ipaserver.install.cainstance.CAInstance: DEBUG:
> >> caSignedLogCert.cfg profile validity range is 720
> >> ipa: INFO: [Update certmonger certificate renewal configuration to version
> >> 5]
> >> ipa: DEBUG: Loading StateFile from
> >> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> >> ipa: DEBUG: Configuring certmonger to stop tracking system certificates
> >> for CA
> >> Configuring certmonger to stop tracking system certificates for CA
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl start messagebus.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=active
> >>
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl start certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=active
> >>
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl stop certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Loading Index file from
> >> '/var/lib/ipa/sysrestore/sysrestore.index'
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl start certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=active
> >>
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Loading Index file from
> >> '/var/lib/ipa/sysrestore/sysrestore.index'
> >> ipa: DEBUG: Loading StateFile from
> >> '/var/lib/ipa/sysupgrade/sysupgrade.state'
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl enable certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl start messagebus.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=active
> >>
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl start certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service
> >> ipa: DEBUG: Process finished, return code=0
> >> ipa: DEBUG: stdout=active
> >>
> >> ipa: DEBUG: stderr=
> >> ipa: DEBUG: Loading Index file from
> >> '/var/lib/ipa/sysrestore/sysrestore.index'
> >> ipa: DEBUG: Starting external process
> >> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM -L
> >> -n Server-Cert -a
> >> ipa: DEBUG: Process finished, return code=255
> >> ipa: DEBUG: stdout=
> >> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert
> >> : PR_FILE_NOT_FOUND_ERROR: File not found
> >>
> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA
> >> server upgrade failed: Inspect /var/log/ipaupgrade.log and run command
> >> ipa-server-upgrade manually.
> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
> >> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> >> in execute
> >> return_value = self.run()
> >> File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> >> line 46, in run
> >> server.upgrade()
> >> File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >> line 1863, in upgrade
> >> upgrade_configuration()
> >> File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >> line 1769, in upgrade_configuration
> >> certificate_renewal_update(ca, ds, http),
> >> File
> >> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >> line 1027, in certificate_renewal_update
> >> ds.start_tracking_certificates(serverid)
> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> >> line 983, in start_tracking_certificates
> >> 'restart_dirsrv %s' % serverid)
> >> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> >> line 307, in track_server_cert
> >> nsscert = x509.load_certificate(cert, dbdir=self.secdir)
> >> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in
> >> load_certificate
> >> return nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
> >>
> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
> >> ipa-server-upgrade command failed, exception: NSPRError:
> >> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
> >> Unexpected error - see /var/log/ipaupgrade.log for details:
> >> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure.
> >> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
> >> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
> >> more information
> >>
> >> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden <rcrit...@redhat.com> wrote:
> >>>
> >>> Satish Patel wrote:
> >>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64"
> >>>
> >>> Ok, that explains what is happening.
> >>>
> >>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag]
> >>> section. Remove the entry for certificate_renewal_update_5.
> >>>
> >>> This being present is preventing the tracking to be repaired.
> >>>
> >>> Then run ipa-server-upgrade again and your tracking should be fixed.
> >>>
> >>> Use the -v flag for additional debugging, not --debug, I was mistaken.
> >>>
> >>> rob
> >>>
> >>>>
> >>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden <rcrit...@redhat.com>
> >>>> wrote:
> >>>>>
> >>>>> Satish Patel via FreeIPA-users wrote:
> >>>>>> I did run "ipa-server-upgrade" and look like it was successful but
> >>>>>> still in getcert list showing CA_NEED :(
> >>>>>
> >>>>> Remind me what the package version of IPA is. I'm confused by the
> >>>>> version 5 in the output about renewal configuration.
> >>>>>
> >>>>> You might also want to try running with --debug as depending on release
> >>>>> it will give more information about this.
> >>>>>
> >>>>> rob
> >>>>>
> >>>>>>
> >>>>>>
> >>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade
> >>>>>> Upgrading IPA:
> >>>>>> [1/10]: stopping directory server
> >>>>>> [2/10]: saving configuration
> >>>>>> [3/10]: disabling listeners
> >>>>>> [4/10]: enabling DS global lock
> >>>>>> [5/10]: starting directory server
> >>>>>> [6/10]: updating schema
> >>>>>> [7/10]: upgrading server
> >>>>>> [8/10]: stopping directory server
> >>>>>> [9/10]: restoring configuration
> >>>>>> [10/10]: starting directory server
> >>>>>> Done.
> >>>>>> Update complete
> >>>>>> Upgrading IPA services
> >>>>>> Upgrading the configuration of the IPA services
> >>>>>> [Verifying that root certificate is published]
> >>>>>> [Migrate CRL publish directory]
> >>>>>> CRL tree already moved
> >>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It
> >>>>>> will be overwritten. A backup of the original will be made.
> >>>>>> [Verifying that CA proxy configuration is correct]
> >>>>>> [Verifying that KDC configuration is using ipa-kdb backend]
> >>>>>> [Fix DS schema file syntax]
> >>>>>> Syntax already fixed
> >>>>>> [Removing RA cert from DS NSS database]
> >>>>>> RA cert already removed
> >>>>>> [Enable sidgen and extdom plugins by default]
> >>>>>> [Updating HTTPD service IPA configuration]
> >>>>>> [Updating mod_nss protocol versions]
> >>>>>> Protocol versions already updated
> >>>>>> [Updating mod_nss cipher suite]
> >>>>>> [Fixing trust flags in /etc/httpd/alias]
> >>>>>> Trust flags already processed
> >>>>>> [Exporting KRA agent PEM file]
> >>>>>> KRA is not enabled
> >>>>>> [Removing self-signed CA]
> >>>>>> [Removing Dogtag 9 CA]
> >>>>>> [Checking for deprecated KDC configuration files]
> >>>>>> [Checking for deprecated backups of Samba configuration files]
> >>>>>> [Setting up Firefox extension]
> >>>>>> [Add missing CA DNS records]
> >>>>>> IPA CA DNS records already processed
> >>>>>> [Removing deprecated DNS configuration options]
> >>>>>> DNS is not configured
> >>>>>> [Ensuring minimal number of connections]
> >>>>>> DNS is not configured
> >>>>>> [Enabling serial autoincrement in DNS]
> >>>>>> DNS is not configured
> >>>>>> [Updating GSSAPI configuration in DNS]
> >>>>>> DNS is not configured
> >>>>>> [Updating pid-file configuration in DNS]
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> DNS is not configured
> >>>>>> [Upgrading CA schema]
> >>>>>> CA schema update complete (no changes)
> >>>>>> [Verifying that CA audit signing cert has 2 year validity]
> >>>>>> [Update certmonger certificate renewal configuration to version 5]
> >>>>>> [Enable PKIX certificate path discovery and validation]
> >>>>>> PKIX already enabled
> >>>>>> [Authorizing RA Agent to modify profiles]
> >>>>>> [Authorizing RA Agent to manage lightweight CAs]
> >>>>>> [Ensuring Lightweight CAs container exists in Dogtag database]
> >>>>>> [Adding default OCSP URI configuration]
> >>>>>> [Ensuring CA is using LDAPProfileSubsystem]
> >>>>>> [Migrating certificate profiles to LDAP]
> >>>>>> [Ensuring presence of included profiles]
> >>>>>> [Add default CA ACL]
> >>>>>> Default CA ACL already added
> >>>>>> [Set up lightweight CA key retrieval]
> >>>>>> Creating principal
> >>>>>> Retrieving keytab
> >>>>>> Creating Custodia keys
> >>>>>> Configuring key retriever
> >>>>>> The IPA services were upgraded
> >>>>>> The ipa-server-upgrade command was successful
> >>>>>>
> >>>>>>
> >>>>>> [root@ldap-ca-master ~]# getcert list | grep status
> >>>>>> status: NEED_CA
> >>>>>> status: NEED_CA
> >>>>>> status: NEED_CA
> >>>>>> status: NEED_CA
> >>>>>> status: NEED_CA
> >>>>>> status: NEED_KEY_PAIR
> >>>>>> status: NEED_KEY_PAIR
> >>>>>> status: NEED_KEY_PAIR
> >>>>>> status: NEED_KEY_PAIR
> >>>>>> status: NEED_CA
> >>>>>> status: NEED_KEY_PAIR
> >>>>>> status: NEED_CA
> >>>>>>
> >>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud
> >>>>>> <f...@redhat.com> wrote:
> >>>>>>>
> >>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote:
> >>>>>>>> Thanks Florence,
> >>>>>>>>
> >>>>>>>> is it safe to run "ipa-server-upgrade" ?
> >>>>>>>>
> >>>>>>> Hi,
> >>>>>>> generally yes :)
> >>>>>>>
> >>>>>>> We had a few tickets related to upgrade but they are mainly revealing
> >>>>>>> already present issues (for instance because this CLI stops and starts
> >>>>>>> the services, expired certs would prevent successful completion).
> >>>>>>>
> >>>>>>>> Do i need to provide any option with "ipa-server-upgrade" command?
> >>>>>>>> i
> >>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" it
> >>>>>>>> broke some stuff but anyway i will take snapshot of VM and try in
> >>>>>>>> worst case scenario.
> >>>>>>> With the VM snapshot you are on the safe side.
> >>>>>>>
> >>>>>>> flo
> >>>>>>>
> >>>>>>>>
> >>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud
> >>>>>>>> <f...@redhat.com> wrote:
> >>>>>>>>>
> >>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
> >>>>>>>>>> Any thought ?
> >>>>>>>>> Hi,
> >>>>>>>>> if you run ipa-server-upgrade on this node, the command will fix the
> >>>>>>>>> tracking of certs. You should see in the output;
> >>>>>>>>> [Update certmonger certificate renewal configuration]
> >>>>>>>>>
> >>>>>>>>> HTH,
> >>>>>>>>> flo
> >>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>>> Sent from my iPhone
> >>>>>>>>>>
> >>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel <satish....@gmail.com>
> >>>>>>>>>>> wrote:
> >>>>>>>>>>>
> >>>>>>>>>>> Rob sorry, i trim my output thought not necessary but anyway here
> >>>>>>>>>>> is
> >>>>>>>>>>> the full list (ignore CAPS letter in output)
> >>>>>>>>>>>
> >>>>>>>>>>> [root@ldap-ca-master ~]# getcert list
> >>>>>>>>>>>
> >>>>>>>>>>> Number of certificates and requests being tracked: 12.
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915042927':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915043150':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage:
> >>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>>>>
> >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915043212':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> eku: id-kp-OCSPSigning
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915043224':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915043237':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage:
> >>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>>>>
> >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915043246':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: no
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin
> >>>>>>>>>>> set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS
> >>>>>>>>>>> Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
> >>>>>>>>>>> G2,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority -
> >>>>>>>>>>> G2,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915043304':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: no
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
> >>>>>>>>>>> Intermediate',pin set
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
> >>>>>>>>>>> Intermediate',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
> >>>>>>>>>>> G2,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority -
> >>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915045112':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: no
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA
> >>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM
> >>>>>>>>>>> IPA CA',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915045148':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: no
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS
> >>>>>>>>>>> Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
> >>>>>>>>>>> G2,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority -
> >>>>>>>>>>> G2,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915045156':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
> >>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
> >>>>>>>>>>> Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: digitalSignature,keyCertSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915045206':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: no
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
> >>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
> >>>>>>>>>>> Intermediate',token='NSS Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
> >>>>>>>>>>> G2,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority -
> >>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> >>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>> Request ID '20190915045216':
> >>>>>>>>>>>
> >>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>
> >>>>>>>>>>> stuck: yes
> >>>>>>>>>>>
> >>>>>>>>>>> key pair storage:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>
> >>>>>>>>>>> certificate:
> >>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>>>>>>>> Certificate DB'
> >>>>>>>>>>>
> >>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM
> >>>>>>>>>>>
> >>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC
> >>>>>>>>>>>
> >>>>>>>>>>> key usage:
> >>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>>>>
> >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>>>>
> >>>>>>>>>>> pre-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> post-save command:
> >>>>>>>>>>>
> >>>>>>>>>>> track: yes
> >>>>>>>>>>>
> >>>>>>>>>>> auto-renew: yes
> >>>>>>>>>>>
> >>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden
> >>>>>>>>>>>> <rcrit...@redhat.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Satish Patel via FreeIPA-users wrote:
> >>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list was
> >>>>>>>>>>>>> showing
> >>>>>>>>>>>>> empty list (no cert to track)
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> So i run following command to add certs manually:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> >>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX
> >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> >>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX
> >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> >>>>>>>>>>>>> 'subsystemCert
> >>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX
> >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> >>>>>>>>>>>>> 'Godaddy' -P XXXXXXX
> >>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy
> >>>>>>>>>>>>> Intermediate' -P XXXXXXX
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA ) it
> >>>>>>>>>>>>> should
> >>>>>>>>>>>>> be MONITORING right?
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> # getcert list
> >>>>>>>>>>>>> Number of certificates and requests being tracked: 12.
> >>>>>>>>>>>>
> >>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 certs and
> >>>>>>>>>>>> yet
> >>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9?
> >>>>>>>>>>>>
> >>>>>>>>>>>> rob
> >>>>>>>>>> _______________________________________________
> >>>>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >>>>>>>>>> To unsubscribe send an email to
> >>>>>>>>>> freeipa-users-le...@lists.fedorahosted.org
> >>>>>>>>>> Fedora Code of Conduct:
> >>>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>>>>>> List Guidelines:
> >>>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>>>>>> List Archives:
> >>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >>>>>>>>>>
> >>>>>>>>>
> >>>>>>>> _______________________________________________
> >>>>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >>>>>>>> To unsubscribe send an email to
> >>>>>>>> freeipa-users-le...@lists.fedorahosted.org
> >>>>>>>> Fedora Code of Conduct:
> >>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>>>> List Guidelines:
> >>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>>>> List Archives:
> >>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >>>>>>>>
> >>>>>>>
> >>>>>> _______________________________________________
> >>>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> >>>>>> To unsubscribe send an email to
> >>>>>> freeipa-users-le...@lists.fedorahosted.org
> >>>>>> Fedora Code of Conduct:
> >>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>> List Archives:
> >>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> >>>>>>
> >>>>>
> >>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
