Rob, Last question, when certmonger renew all certificates automatically, i meant before 24 hours ago? Just want to make sure it does otherwise i will be in trouble again :)
Done, i did that change and restart httpd. I believe now my all issue has been fixed. Thank you so much for your support [root@ldap-ca-master conf.d]# grep "NSSNickname" /etc/httpd/conf.d/nss.conf NSSNickname Server-Cert On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden <rcrit...@redhat.com> wrote: > > Satish Patel wrote: > > Rob, > > > > As you suggested i did following ( it required password so i used -P <PIN> ) > > > > # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K > > HTTP/ldap-ca-master.example.com -C > > /usr/libexec/ipa/certmonger/restart_httpd -D > > ldap-ca-master.example.com -P 9e8c1a9447d56236733f > > > > # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert > > -K ldap/ldap-ca-master.example.com -C > > "/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM" -D > > ldap-ca-master.example.com -P 013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698 > > > > > > # certutil -V -u V -d /etc/httpd/alias -n Server-Cert > > certutil: certificate is valid > > # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert > > certutil: certificate is valid > > > >>>>> If so then you can swap the config to use them. Edit > > /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with > > Server-Cert and restart httpd > > > > Do i need to edit above nss.conf file? > > > > Currently i have following NSSNickname in file. > > > > # grep "NSSNickname" /etc/httpd/conf.d/nss.conf > > NSSNickname "CN=*.foo.example.com,OU=Domain Control Validated" > > Yes. > > > > > > > > > Here is the full output of getcet list (Do you think it's looking > > good? i compare with Replica and i can see Master has 2 less cert > > compare to Replica hope that is ok) > > Due to difference in versions of IPA. This looks ok for a version 4.4.x > master. > > rob > > > > > # getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20190926141756': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=CA Audit,O=EXAMPLE.COM > > expires: 2020-11-17 18:32:07 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20190926141757': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=OCSP Subsystem,O=EXAMPLE.COM > > expires: 2020-11-17 18:31:26 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20190926141758': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=CA Subsystem,O=EXAMPLE.COM > > expires: 2020-11-17 18:31:16 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20190926141759': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=Certificate Authority,O=EXAMPLE.COM > > expires: 2037-01-05 14:47:24 UTC > > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "caSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20190926141800': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > > Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=IPA RA,O=EXAMPLE.COM > > expires: 2020-11-17 18:31:36 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20190926141801': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM > > expires: 2020-11-17 18:30:29 UTC > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > > "Server-Cert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20190927010638': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM > > expires: 2021-09-27 01:06:39 UTC > > dns: ldap-ca-master.foo.EXAMPLE.com > > principal name: HTTP/ldap-ca-master.foo.example....@example.com > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > > track: yes > > auto-renew: yes > > Request ID '20190927011037': > > status: MONITORING > > stuck: no > > key pair storage: > > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > > Certificate DB',pin set > > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=EXAMPLE.COM > > subject: CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM > > expires: 2021-09-27 01:10:38 UTC > > dns: ldap-ca-master.foo.EXAMPLE.com > > principal name: ldap/ldap-ca-master.foo.example....@example.com > > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE.COM > > track: yes > > auto-renew: yes > > > > On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden <rcrit...@redhat.com> wrote: > >> > >> Satish Patel wrote: > >>> Rob, > >>> > >>> I got your point and i will remove all Godaddy certs but i wanted to > >>> say one thing, if i look into ldap-ca-replica server which is other > >>> server i can see Server-Cert, is there a way i can sync all these > >>> replica cert with master and fix them ? > >> > >> These certs are master-specific. ldap-ca-replica is using IPA-issued > >> server certifiactes and the other is using Godaddy-issued certificates. > >> > >> It's possible to issue certificates using the IPA CA to replace these > >> Godaddy certs but I guess I'd check to be sure that's what you really > >> want to do. Most people do this kind of replacement so they don't need > >> to distribute the IPA CA to non-IPA-enrolled systems so they can do > >> self-service management. > >> > >> Roughly speaking, you'd do something like this: > >> > >> # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K > >> HTTP/<hostname> -C /usr/libexec/ipa/certmonger/restart_httpd -D <hostname> > >> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n Server-Cert -K > >> ldap/<hostname> -C "/usr/libexec/ipa/certmonger/restart_dirsrv > >> EXAMPLE-COM" -D <hostname> > >> > >> That will issue the new certs and set them up for tracking. > >> > >> You can verify that they will work with: > >> > >> # certutil -V -u V -d <database> -n Server-Cert > >> > >> Both should return 'certificate is valid' > >> > >> If so then you can swap the config to use them. Edit > >> /etc/httpd/conf.d/nss.conf and replace the NSSNickname value with > >> Server-Cert and restart httpd > >> > >> For 389-ds: > >> > >> # ldapmodify -x -D 'cn=directory manager' -W > >> dn: cn=RSA,cn=encryption,cn=config > >> changetype: modify > >> replace: nsSSLPersonalitySSL > >> nsSSLPersonalitySSL: Server-Cert > >> <blank line> > >> ^D > >> > >> Then restart 389-ds-base, or do both then run ipactl restart > >> > >> The old certs will still exist in the NSS databases so you can always > >> switch them back if you need to. > >> > >> rob > >> > >>> > >>> This is replica node output, look like replica is very clean.. > >>> > >>> [root@ldap-ca-replica ~]# getcert list > >>> Number of certificates and requests being tracked: 10. > >>> Request ID '20190918205044': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local > >>> IPA host',token='NSS Certificate > >>> DB',pinfile='/etc/ipa/nssdb/pwdfile.txt' > >>> certificate: type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA > >>> host',token='NSS Certificate DB' > >>> CA: IPA > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > >>> expires: 2021-09-18 20:50:45 UTC > >>> dns: ldap-ca-replica.foo.EXAMPLE.com > >>> principal name: host/ldap-ca-replica.foo.example....@example.com > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: > >>> post-save command: > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205212': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > >>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' > >>> certificate: > >>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > >>> Certificate DB' > >>> CA: IPA > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > >>> expires: 2021-09-18 20:52:12 UTC > >>> dns: ldap-ca-replica.foo.EXAMPLE.com > >>> principal name: ldap/ldap-ca-replica.foo.example....@example.com > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: > >>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205232': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > >>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>> certificate: > >>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > >>> Certificate DB' > >>> CA: IPA > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > >>> expires: 2021-09-18 20:52:32 UTC > >>> dns: ldap-ca-replica.foo.EXAMPLE.com > >>> principal name: HTTP/ldap-ca-replica.foo.example....@example.com > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: > >>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205418': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > >>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=IPA RA,O=EXAMPLE.COM > >>> expires: 2020-11-17 18:31:36 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > >>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205431': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > >>> cert-pki-ca',token='NSS Certificate DB',pin set > >>> certificate: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > >>> cert-pki-ca',token='NSS Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=CA Audit,O=EXAMPLE.COM > >>> expires: 2020-11-17 18:32:07 UTC > >>> key usage: digitalSignature,nonRepudiation > >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>> "auditSigningCert cert-pki-ca" > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205432': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > >>> cert-pki-ca',token='NSS Certificate DB',pin set > >>> certificate: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > >>> cert-pki-ca',token='NSS Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM > >>> expires: 2020-11-17 18:31:26 UTC > >>> eku: id-kp-OCSPSigning > >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>> "ocspSigningCert cert-pki-ca" > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205433': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > >>> cert-pki-ca',token='NSS Certificate DB',pin set > >>> certificate: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > >>> cert-pki-ca',token='NSS Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=CA Subsystem,O=EXAMPLE.COM > >>> expires: 2020-11-17 18:31:16 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth > >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>> "subsystemCert cert-pki-ca" > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205434': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > >>> cert-pki-ca',token='NSS Certificate DB',pin set > >>> certificate: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > >>> cert-pki-ca',token='NSS Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=Certificate Authority,O=EXAMPLE.COM > >>> expires: 2037-01-05 14:47:24 UTC > >>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>> "caSigningCert cert-pki-ca" > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918205435': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > >>> cert-pki-ca',token='NSS Certificate DB',pin set > >>> certificate: > >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > >>> cert-pki-ca',token='NSS Certificate DB' > >>> CA: dogtag-ipa-ca-renew-agent > >>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > >>> expires: 2021-09-07 20:54:00 UTC > >>> key usage: > >>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>> "Server-Cert cert-pki-ca" > >>> track: yes > >>> auto-renew: yes > >>> Request ID '20190918210008': > >>> status: MONITORING > >>> stuck: no > >>> key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > >>> certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > >>> CA: SelfSign > >>> issuer: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > >>> subject: CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM > >>> expires: 2020-09-18 21:00:08 UTC > >>> principal name: krbtgt/example....@example.com > >>> certificate template/profile: KDCs_PKINIT_Certs > >>> pre-save command: > >>> post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > >>> track: yes > >>> auto-renew: yes > >>> > >>> On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden <rcrit...@redhat.com> > >>> wrote: > >>>> > >>>> Satish Patel via FreeIPA-users wrote: > >>>>> Rob, > >>>>> > >>>>> Here is the web certs > >>>>> > >>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d /etc/httpd/alias -L > >>>>> > >>>>> Certificate Nickname Trust > >>>>> Attributes > >>>>> > >>>>> SSL,S/MIME,JAR/XPI > >>>>> > >>>>> EXAMPLE.COM IPA CA CT,C,C > >>>>> Godaddy C,, > >>>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u > >>>>> Signing-Cert u,u,u > >>>>> Godaddy Intermediate C,, > >>>>> ipaCert u,u,u > >>>> > >>>> Ok, good. Also using a Godaddy cert. > >>>> > >>>>> Here is the fill output of getcert and i can see some certs showing > >>>>> MONITORING > >>>> > >>>> Ok. I've annotated each cert you should stop tracking. It looks like the > >>>> CA subsystem certs are ok. > >>>> > >>>> You will need to watch the Godaddy certs yourself and manually renew > >>>> when the time comes. certmonger has no way to renew those. > >>>> > >>>> To stop tracking these run: getcert stop-tracking -i <request_id> > >>>> > >>>>> > >>>>> [root@ldap-ca-master ~]# getcert list > >>>>> Number of certificates and requests being tracked: 13. > >>>>> Request ID '20190915043246': > >>>>> status: NEED_KEY_PAIR > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin > >>>>> set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS > >>>>> Certificate DB' > >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> expires: 2037-12-31 23:59:59 UTC > >>>>> key usage: keyCertSign,cRLSign > >>>>> pre-save command: > >>>>> post-save command: > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> No need to track this one. You'd have no way of renewing it anyway. > >>>> > >>>>> Request ID '20190915043304': > >>>>> status: NEED_KEY_PAIR > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > >>>>> Intermediate',pin set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > >>>>> Intermediate',token='NSS Certificate DB' > >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> subject: CN=Go Daddy Secure Certificate Authority - > >>>>> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> expires: 2031-05-03 07:00:00 UTC > >>>>> key usage: keyCertSign,cRLSign > >>>>> pre-save command: > >>>>> post-save command: > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> No need to track this one. > >>>> > >>>>> Request ID '20190915045112': > >>>>> status: NEED_KEY_PAIR > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA > >>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM > >>>>> IPA CA',token='NSS Certificate DB' > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> expires: 2037-01-05 14:47:24 UTC > >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > >>>>> pre-save command: > >>>>> post-save command: > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> You don't need to track the CA cert here. > >>>> > >>>>> Request ID '20190915045148': > >>>>> status: NEED_KEY_PAIR > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS > >>>>> Certificate DB' > >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> subject: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> expires: 2037-12-31 23:59:59 UTC > >>>>> key usage: keyCertSign,cRLSign > >>>>> pre-save command: > >>>>> post-save command: > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> Same, stop the tracking. > >>>> > >>>>> Request ID '20190915045156': > >>>>> status: NEED_CA > >>>>> stuck: yes > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > >>>>> Certificate DB' > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM > >>>>> expires: 2021-01-05 14:49:59 UTC > >>>>> key usage: digitalSignature,keyCertSign > >>>>> pre-save command: > >>>>> post-save command: > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> This one too. > >>>> > >>>>> Request ID '20190915045206': > >>>>> status: NEED_KEY_PAIR > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > >>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > >>>>> Intermediate',token='NSS Certificate DB' > >>>>> issuer: CN=Go Daddy Root Certificate Authority - G2,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> subject: CN=Go Daddy Secure Certificate Authority - > >>>>> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, > >>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>> expires: 2031-05-03 07:00:00 UTC > >>>>> key usage: keyCertSign,cRLSign > >>>>> pre-save command: > >>>>> post-save command: > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> And this, stop tracking. > >>>> > >>>>> Request ID '20190926141756': > >>>>> status: MONITORING > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > >>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > >>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>> CA: dogtag-ipa-ca-renew-agent > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=CA Audit,O=EXAMPLE.COM > >>>>> expires: 2020-11-17 18:32:07 UTC > >>>>> key usage: digitalSignature,nonRepudiation > >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>>>> "auditSigningCert cert-pki-ca" > >>>>> track: yes > >>>>> auto-renew: yes > >>>>> Request ID '20190926141757': > >>>>> status: MONITORING > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > >>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > >>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>> CA: dogtag-ipa-ca-renew-agent > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM > >>>>> expires: 2020-11-17 18:31:26 UTC > >>>>> eku: id-kp-OCSPSigning > >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>>>> "ocspSigningCert cert-pki-ca" > >>>>> track: yes > >>>>> auto-renew: yes > >>>>> Request ID '20190926141758': > >>>>> status: MONITORING > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > >>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > >>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>> CA: dogtag-ipa-ca-renew-agent > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM > >>>>> expires: 2020-11-17 18:31:16 UTC > >>>>> key usage: > >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>>>> eku: id-kp-serverAuth,id-kp-clientAuth > >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>>>> "subsystemCert cert-pki-ca" > >>>>> track: yes > >>>>> auto-renew: yes > >>>>> Request ID '20190926141759': > >>>>> status: MONITORING > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > >>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > >>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>> CA: dogtag-ipa-ca-renew-agent > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> expires: 2037-01-05 14:47:24 UTC > >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>>>> "caSigningCert cert-pki-ca" > >>>>> track: yes > >>>>> auto-renew: yes > >>>>> Request ID '20190926141800': > >>>>> status: MONITORING > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>>>> Certificate DB' > >>>>> CA: dogtag-ipa-ca-renew-agent > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=IPA RA,O=EXAMPLE.COM > >>>>> expires: 2020-11-17 18:31:36 UTC > >>>>> key usage: > >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>>>> eku: id-kp-serverAuth,id-kp-clientAuth > >>>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > >>>>> track: yes > >>>>> auto-renew: yes > >>>>> Request ID '20190926141801': > >>>>> status: MONITORING > >>>>> stuck: no > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > >>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > >>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>> CA: dogtag-ipa-renew-agent > >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM > >>>>> expires: 2020-11-17 18:30:29 UTC > >>>>> key usage: > >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>>>> eku: id-kp-serverAuth,id-kp-clientAuth > >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > >>>>> "Server-Cert cert-pki-ca" > >>>>> track: yes > >>>>> auto-renew: yes > >>>>> Request ID '20190926141802': > >>>>> status: CA_UNCONFIGURED > >>>>> ca-error: Unable to determine principal name for signing request. > >>>>> stuck: yes > >>>>> key pair storage: > >>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS > >>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' > >>>>> certificate: > >>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert' > >>>>> CA: IPA > >>>>> issuer: > >>>>> subject: > >>>>> expires: unknown > >>>>> pre-save command: > >>>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > >>>>> EXAMPLE-COM > >>>>> track: yes > >>>>> auto-renew: yes > >>>> > >>>> The tracking on this one is wrong and since you don't have Server-Cert > >>>> anyway, just stop tracking this one. > >>>> > >>>> rob > >>>>> > >>>>> On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden <rcrit...@redhat.com> > >>>>> wrote: > >>>>>> > >>>>>> Satish Patel wrote: > >>>>>>> Addition to last email: > >>>>>>> > >>>>>>> I can't see Server-Cert here but interesting thing i can see > >>>>>>> Server-Cert in my CA replica node on ldap-2 (why my primary > >>>>>>> ldap-ca-master not showing that cert?) > >>>>>>> > >>>>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d > >>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/ -L > >>>>>>> > >>>>>>> Certificate Nickname Trust > >>>>>>> Attributes > >>>>>>> > >>>>>>> SSL,S/MIME,JAR/XPI > >>>>>>> > >>>>>>> EXAMPLE.COM IPA CA CT,C,C > >>>>>>> Godaddy C,, > >>>>>>> CN=*.foo.example.com,OU=Domain Control Validated u,u,u > >>>>>>> Godaddy Intermediate C,, > >>>>>> > >>>>>> At some point someone replaced the IPA-signed LDAP certificate with one > >>>>>> signed by GoDaddy (which is fine). > >>>>>> > >>>>>> It appears that the version of IPA you're using (at least) doesn't > >>>>>> handle this case. > >>>>>> > >>>>>> Now, fortunately it's one of the last things done so this may be just > >>>>>> fine. > >>>>>> > >>>>>> Can you see if your web server cert was also replaced? The database is > >>>>>> /etc/httpd/alias. > >>>>>> > >>>>>> Also, check your current tracking. The CA subsystem certs should be > >>>>>> properly tracked now. It is just the LDAP and web certs that should not > >>>>>> be (and if it is still using GoDaddy that is fine). > >>>>>> > >>>>>> rob > >>>>>> > >>>>>>> > >>>>>>> On Thu, Sep 26, 2019 at 10:22 AM Satish Patel <satish....@gmail.com> > >>>>>>> wrote: > >>>>>>>> > >>>>>>>> Rob, > >>>>>>>> > >>>>>>>> now i got error and here is the output, output was very long so i > >>>>>>>> crop > >>>>>>>> it down and here is the error piece. > >>>>>>>> > >>>>>>>> ipa: INFO: [Upgrading CA schema] > >>>>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: flushing > >>>>>>>> ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache > >>>>>>>> ipa.ipapython.ipaldap.SchemaCache: DEBUG: retrieving schema for > >>>>>>>> SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket > >>>>>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80> > >>>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF > >>>>>>>> file > >>>>>>>> /usr/share/pki/server/conf/schema-certProfile.ldif > >>>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Processing schema LDIF > >>>>>>>> file > >>>>>>>> /usr/share/pki/server/conf/schema-authority.ldif > >>>>>>>> ipa.ipaserver.install.schemaupdate: DEBUG: Not updating schema > >>>>>>>> ipa: INFO: CA schema update complete (no changes) > >>>>>>>> ipa: INFO: [Verifying that CA audit signing cert has 2 year validity] > >>>>>>>> ipa.ipaserver.install.cainstance.CAInstance: DEBUG: > >>>>>>>> caSignedLogCert.cfg profile validity range is 720 > >>>>>>>> ipa: INFO: [Update certmonger certificate renewal configuration to > >>>>>>>> version 5] > >>>>>>>> ipa: DEBUG: Loading StateFile from > >>>>>>>> '/var/lib/ipa/sysupgrade/sysupgrade.state' > >>>>>>>> ipa: DEBUG: Configuring certmonger to stop tracking system > >>>>>>>> certificates for CA > >>>>>>>> Configuring certmonger to stop tracking system certificates for CA > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout=active > >>>>>>>> > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout=active > >>>>>>>> > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl stop certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Loading Index file from > >>>>>>>> '/var/lib/ipa/sysrestore/sysrestore.index' > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout=active > >>>>>>>> > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Loading Index file from > >>>>>>>> '/var/lib/ipa/sysrestore/sysrestore.index' > >>>>>>>> ipa: DEBUG: Loading StateFile from > >>>>>>>> '/var/lib/ipa/sysupgrade/sysupgrade.state' > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl enable certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl start messagebus.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active messagebus.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout=active > >>>>>>>> > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl start certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/bin/systemctl is-active certmonger.service > >>>>>>>> ipa: DEBUG: Process finished, return code=0 > >>>>>>>> ipa: DEBUG: stdout=active > >>>>>>>> > >>>>>>>> ipa: DEBUG: stderr= > >>>>>>>> ipa: DEBUG: Loading Index file from > >>>>>>>> '/var/lib/ipa/sysrestore/sysrestore.index' > >>>>>>>> ipa: DEBUG: Starting external process > >>>>>>>> ipa: DEBUG: args=/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM > >>>>>>>> -L > >>>>>>>> -n Server-Cert -a > >>>>>>>> ipa: DEBUG: Process finished, return code=255 > >>>>>>>> ipa: DEBUG: stdout= > >>>>>>>> ipa: DEBUG: stderr=certutil: Could not find cert: Server-Cert > >>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not found > >>>>>>>> > >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA > >>>>>>>> server upgrade failed: Inspect /var/log/ipaupgrade.log and run > >>>>>>>> command > >>>>>>>> ipa-server-upgrade manually. > >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File > >>>>>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171, > >>>>>>>> in execute > >>>>>>>> return_value = self.run() > >>>>>>>> File > >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", > >>>>>>>> line 46, in run > >>>>>>>> server.upgrade() > >>>>>>>> File > >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > >>>>>>>> line 1863, in upgrade > >>>>>>>> upgrade_configuration() > >>>>>>>> File > >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > >>>>>>>> line 1769, in upgrade_configuration > >>>>>>>> certificate_renewal_update(ca, ds, http), > >>>>>>>> File > >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", > >>>>>>>> line 1027, in certificate_renewal_update > >>>>>>>> ds.start_tracking_certificates(serverid) > >>>>>>>> File > >>>>>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py", > >>>>>>>> line 983, in start_tracking_certificates > >>>>>>>> 'restart_dirsrv %s' % serverid) > >>>>>>>> File "/usr/lib/python2.7/site-packages/ipaserver/install/certs.py", > >>>>>>>> line 307, in track_server_cert > >>>>>>>> nsscert = x509.load_certificate(cert, dbdir=self.secdir) > >>>>>>>> File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, > >>>>>>>> in > >>>>>>>> load_certificate > >>>>>>>> return nss.Certificate(buffer(data)) # pylint: > >>>>>>>> disable=buffer-builtin > >>>>>>>> > >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The > >>>>>>>> ipa-server-upgrade command failed, exception: NSPRError: > >>>>>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure. > >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: > >>>>>>>> Unexpected error - see /var/log/ipaupgrade.log for details: > >>>>>>>> NSPRError: (SEC_ERROR_LIBRARY_FAILURE) security library failure. > >>>>>>>> ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The > >>>>>>>> ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > >>>>>>>> more information > >>>>>>>> > >>>>>>>> On Thu, Sep 26, 2019 at 9:39 AM Rob Crittenden <rcrit...@redhat.com> > >>>>>>>> wrote: > >>>>>>>>> > >>>>>>>>> Satish Patel wrote: > >>>>>>>>>> I am running "ipa-server-4.4.0-14.el7.centos.4.x86_64" > >>>>>>>>> > >>>>>>>>> Ok, that explains what is happening. > >>>>>>>>> > >>>>>>>>> Edit /var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag] > >>>>>>>>> section. Remove the entry for certificate_renewal_update_5. > >>>>>>>>> > >>>>>>>>> This being present is preventing the tracking to be repaired. > >>>>>>>>> > >>>>>>>>> Then run ipa-server-upgrade again and your tracking should be fixed. > >>>>>>>>> > >>>>>>>>> Use the -v flag for additional debugging, not --debug, I was > >>>>>>>>> mistaken. > >>>>>>>>> > >>>>>>>>> rob > >>>>>>>>> > >>>>>>>>>> > >>>>>>>>>> On Wed, Sep 25, 2019 at 5:13 PM Rob Crittenden > >>>>>>>>>> <rcrit...@redhat.com> wrote: > >>>>>>>>>>> > >>>>>>>>>>> Satish Patel via FreeIPA-users wrote: > >>>>>>>>>>>> I did run "ipa-server-upgrade" and look like it was successful > >>>>>>>>>>>> but > >>>>>>>>>>>> still in getcert list showing CA_NEED :( > >>>>>>>>>>> > >>>>>>>>>>> Remind me what the package version of IPA is. I'm confused by the > >>>>>>>>>>> version 5 in the output about renewal configuration. > >>>>>>>>>>> > >>>>>>>>>>> You might also want to try running with --debug as depending on > >>>>>>>>>>> release > >>>>>>>>>>> it will give more information about this. > >>>>>>>>>>> > >>>>>>>>>>> rob > >>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> [root@ldap-ca-master ~]# ipa-server-upgrade > >>>>>>>>>>>> Upgrading IPA: > >>>>>>>>>>>> [1/10]: stopping directory server > >>>>>>>>>>>> [2/10]: saving configuration > >>>>>>>>>>>> [3/10]: disabling listeners > >>>>>>>>>>>> [4/10]: enabling DS global lock > >>>>>>>>>>>> [5/10]: starting directory server > >>>>>>>>>>>> [6/10]: updating schema > >>>>>>>>>>>> [7/10]: upgrading server > >>>>>>>>>>>> [8/10]: stopping directory server > >>>>>>>>>>>> [9/10]: restoring configuration > >>>>>>>>>>>> [10/10]: starting directory server > >>>>>>>>>>>> Done. > >>>>>>>>>>>> Update complete > >>>>>>>>>>>> Upgrading IPA services > >>>>>>>>>>>> Upgrading the configuration of the IPA services > >>>>>>>>>>>> [Verifying that root certificate is published] > >>>>>>>>>>>> [Migrate CRL publish directory] > >>>>>>>>>>>> CRL tree already moved > >>>>>>>>>>>> /etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by > >>>>>>>>>>>> IPA. It > >>>>>>>>>>>> will be overwritten. A backup of the original will be made. > >>>>>>>>>>>> [Verifying that CA proxy configuration is correct] > >>>>>>>>>>>> [Verifying that KDC configuration is using ipa-kdb backend] > >>>>>>>>>>>> [Fix DS schema file syntax] > >>>>>>>>>>>> Syntax already fixed > >>>>>>>>>>>> [Removing RA cert from DS NSS database] > >>>>>>>>>>>> RA cert already removed > >>>>>>>>>>>> [Enable sidgen and extdom plugins by default] > >>>>>>>>>>>> [Updating HTTPD service IPA configuration] > >>>>>>>>>>>> [Updating mod_nss protocol versions] > >>>>>>>>>>>> Protocol versions already updated > >>>>>>>>>>>> [Updating mod_nss cipher suite] > >>>>>>>>>>>> [Fixing trust flags in /etc/httpd/alias] > >>>>>>>>>>>> Trust flags already processed > >>>>>>>>>>>> [Exporting KRA agent PEM file] > >>>>>>>>>>>> KRA is not enabled > >>>>>>>>>>>> [Removing self-signed CA] > >>>>>>>>>>>> [Removing Dogtag 9 CA] > >>>>>>>>>>>> [Checking for deprecated KDC configuration files] > >>>>>>>>>>>> [Checking for deprecated backups of Samba configuration files] > >>>>>>>>>>>> [Setting up Firefox extension] > >>>>>>>>>>>> [Add missing CA DNS records] > >>>>>>>>>>>> IPA CA DNS records already processed > >>>>>>>>>>>> [Removing deprecated DNS configuration options] > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> [Ensuring minimal number of connections] > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> [Enabling serial autoincrement in DNS] > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> [Updating GSSAPI configuration in DNS] > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> [Updating pid-file configuration in DNS] > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> DNS is not configured > >>>>>>>>>>>> [Upgrading CA schema] > >>>>>>>>>>>> CA schema update complete (no changes) > >>>>>>>>>>>> [Verifying that CA audit signing cert has 2 year validity] > >>>>>>>>>>>> [Update certmonger certificate renewal configuration to version > >>>>>>>>>>>> 5] > >>>>>>>>>>>> [Enable PKIX certificate path discovery and validation] > >>>>>>>>>>>> PKIX already enabled > >>>>>>>>>>>> [Authorizing RA Agent to modify profiles] > >>>>>>>>>>>> [Authorizing RA Agent to manage lightweight CAs] > >>>>>>>>>>>> [Ensuring Lightweight CAs container exists in Dogtag database] > >>>>>>>>>>>> [Adding default OCSP URI configuration] > >>>>>>>>>>>> [Ensuring CA is using LDAPProfileSubsystem] > >>>>>>>>>>>> [Migrating certificate profiles to LDAP] > >>>>>>>>>>>> [Ensuring presence of included profiles] > >>>>>>>>>>>> [Add default CA ACL] > >>>>>>>>>>>> Default CA ACL already added > >>>>>>>>>>>> [Set up lightweight CA key retrieval] > >>>>>>>>>>>> Creating principal > >>>>>>>>>>>> Retrieving keytab > >>>>>>>>>>>> Creating Custodia keys > >>>>>>>>>>>> Configuring key retriever > >>>>>>>>>>>> The IPA services were upgraded > >>>>>>>>>>>> The ipa-server-upgrade command was successful > >>>>>>>>>>>> > >>>>>>>>>>>> > >>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list | grep status > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>> > >>>>>>>>>>>> On Tue, Sep 24, 2019 at 3:55 AM Florence Blanc-Renaud > >>>>>>>>>>>> <f...@redhat.com> wrote: > >>>>>>>>>>>>> > >>>>>>>>>>>>> On 9/23/19 4:10 PM, Satish Patel via FreeIPA-users wrote: > >>>>>>>>>>>>>> Thanks Florence, > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> is it safe to run "ipa-server-upgrade" ? > >>>>>>>>>>>>>> > >>>>>>>>>>>>> Hi, > >>>>>>>>>>>>> generally yes :) > >>>>>>>>>>>>> > >>>>>>>>>>>>> We had a few tickets related to upgrade but they are mainly > >>>>>>>>>>>>> revealing > >>>>>>>>>>>>> already present issues (for instance because this CLI stops and > >>>>>>>>>>>>> starts > >>>>>>>>>>>>> the services, expired certs would prevent successful > >>>>>>>>>>>>> completion). > >>>>>>>>>>>>> > >>>>>>>>>>>>>> Do i need to provide any option with "ipa-server-upgrade" > >>>>>>>>>>>>>> command? i > >>>>>>>>>>>>>> believe few month back when i tried to do "ipa-server-upgrade" > >>>>>>>>>>>>>> it > >>>>>>>>>>>>>> broke some stuff but anyway i will take snapshot of VM and try > >>>>>>>>>>>>>> in > >>>>>>>>>>>>>> worst case scenario. > >>>>>>>>>>>>> With the VM snapshot you are on the safe side. > >>>>>>>>>>>>> > >>>>>>>>>>>>> flo > >>>>>>>>>>>>> > >>>>>>>>>>>>>> > >>>>>>>>>>>>>> On Mon, Sep 23, 2019 at 2:25 AM Florence Blanc-Renaud > >>>>>>>>>>>>>> <f...@redhat.com> wrote: > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> On 9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote: > >>>>>>>>>>>>>>>> Any thought ? > >>>>>>>>>>>>>>> Hi, > >>>>>>>>>>>>>>> if you run ipa-server-upgrade on this node, the command will > >>>>>>>>>>>>>>> fix the > >>>>>>>>>>>>>>> tracking of certs. You should see in the output; > >>>>>>>>>>>>>>> [Update certmonger certificate renewal configuration] > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> HTH, > >>>>>>>>>>>>>>> flo > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>> Sent from my iPhone > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> On Sep 20, 2019, at 11:35 AM, Satish Patel > >>>>>>>>>>>>>>>>> <satish....@gmail.com> wrote: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Rob sorry, i trim my output thought not necessary but > >>>>>>>>>>>>>>>>> anyway here is > >>>>>>>>>>>>>>>>> the full list (ignore CAPS letter in output) > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> [root@ldap-ca-master ~]# getcert list > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915042927': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: > >>>>>>>>>>>>>>>>> digitalSignature,nonRepudiation,keyCertSign,cRLSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915043150': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:30:29 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: > >>>>>>>>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915043212': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:26 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> eku: id-kp-OCSPSigning > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915043224': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=CA Audit,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:32:07 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: digitalSignature,nonRepudiation > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915043237': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB',pin set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > >>>>>>>>>>>>>>>>> cert-pki-ca',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:16 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: > >>>>>>>>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915043246': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: no > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin > >>>>>>>>>>>>>>>>> set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS > >>>>>>>>>>>>>>>>> Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - > >>>>>>>>>>>>>>>>> G2,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - > >>>>>>>>>>>>>>>>> G2,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915043304': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: no > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > >>>>>>>>>>>>>>>>> Intermediate',pin set > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy > >>>>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - > >>>>>>>>>>>>>>>>> G2,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - > >>>>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915045112': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: no > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM > >>>>>>>>>>>>>>>>> IPA > >>>>>>>>>>>>>>>>> CA',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM > >>>>>>>>>>>>>>>>> IPA CA',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2037-01-05 14:47:24 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: > >>>>>>>>>>>>>>>>> digitalSignature,nonRepudiation,keyCertSign,cRLSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915045148': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: no > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS > >>>>>>>>>>>>>>>>> Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - > >>>>>>>>>>>>>>>>> G2,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Root Certificate Authority - > >>>>>>>>>>>>>>>>> G2,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2037-12-31 23:59:59 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915045156': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > >>>>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS > >>>>>>>>>>>>>>>>> Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Object Signing Cert,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2021-01-05 14:49:59 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: digitalSignature,keyCertSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915045206': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_KEY_PAIR > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: no > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > >>>>>>>>>>>>>>>>> Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy > >>>>>>>>>>>>>>>>> Intermediate',token='NSS Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority - > >>>>>>>>>>>>>>>>> G2,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=Go Daddy Secure Certificate Authority - > >>>>>>>>>>>>>>>>> G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com, > >>>>>>>>>>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2031-05-03 07:00:00 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: keyCertSign,cRLSign > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> Request ID '20190915045216': > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> status: NEED_CA > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> stuck: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key pair storage: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>>>>>>>>>>>>>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> certificate: > >>>>>>>>>>>>>>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > >>>>>>>>>>>>>>>>> Certificate DB' > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> subject: CN=IPA RA,O=EXAMPLE.COM > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> expires: 2020-11-17 18:31:36 UTC > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> key usage: > >>>>>>>>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> pre-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> post-save command: > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> track: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>> auto-renew: yes > >>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden > >>>>>>>>>>>>>>>>>> <rcrit...@redhat.com> wrote: > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> Satish Patel via FreeIPA-users wrote: > >>>>>>>>>>>>>>>>>>> Few days ago my Master CA was messed up and getcert list > >>>>>>>>>>>>>>>>>>> was showing > >>>>>>>>>>>>>>>>>>> empty list (no cert to track) > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> So i run following command to add certs manually: > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > >>>>>>>>>>>>>>>>>>> 'ocspSigningCert cert-pki-ca' -P XXXXXXX > >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > >>>>>>>>>>>>>>>>>>> 'auditSigningCert cert-pki-ca' -P XXXXXXX > >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > >>>>>>>>>>>>>>>>>>> 'subsystemCert > >>>>>>>>>>>>>>>>>>> cert-pki-ca' -P XXXXXXX > >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > >>>>>>>>>>>>>>>>>>> 'Godaddy' -P XXXXXXX > >>>>>>>>>>>>>>>>>>> getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > >>>>>>>>>>>>>>>>>>> 'Godaddy > >>>>>>>>>>>>>>>>>>> Intermediate' -P XXXXXXX > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> And after that i am seeing this status (status: NEED_CA > >>>>>>>>>>>>>>>>>>> ) it should > >>>>>>>>>>>>>>>>>>> be MONITORING right? > >>>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>>> # getcert list > >>>>>>>>>>>>>>>>>>> Number of certificates and requests being tracked: 12. > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> You setup the tracking wrong. Your output only shows 3 > >>>>>>>>>>>>>>>>>> certs and yet > >>>>>>>>>>>>>>>>>> certmonger thinks it has 12. Where are the other 9? > >>>>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>>>>> rob > >>>>>>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>>>>>> FreeIPA-users mailing list -- > >>>>>>>>>>>>>>>> freeipa-users@lists.fedorahosted.org > >>>>>>>>>>>>>>>> To unsubscribe send an email to > >>>>>>>>>>>>>>>> freeipa-users-le...@lists.fedorahosted.org > >>>>>>>>>>>>>>>> Fedora Code of Conduct: > >>>>>>>>>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>>>>>>>>>>>>>> List Guidelines: > >>>>>>>>>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>>>>>>>>>>>>>> List Archives: > >>>>>>>>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >>>>>>>>>>>>>>>> > >>>>>>>>>>>>>>> > >>>>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>>>> FreeIPA-users mailing list -- > >>>>>>>>>>>>>> freeipa-users@lists.fedorahosted.org > >>>>>>>>>>>>>> To unsubscribe send an email to > >>>>>>>>>>>>>> freeipa-users-le...@lists.fedorahosted.org > >>>>>>>>>>>>>> Fedora Code of Conduct: > >>>>>>>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>>>>>>>>>>>> List Guidelines: > >>>>>>>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>>>>>>>>>>>> List Archives: > >>>>>>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >>>>>>>>>>>>>> > >>>>>>>>>>>>> > >>>>>>>>>>>> _______________________________________________ > >>>>>>>>>>>> FreeIPA-users mailing list -- > >>>>>>>>>>>> freeipa-users@lists.fedorahosted.org > >>>>>>>>>>>> To unsubscribe send an email to > >>>>>>>>>>>> freeipa-users-le...@lists.fedorahosted.org > >>>>>>>>>>>> Fedora Code of Conduct: > >>>>>>>>>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>>>>>>>>>> List Guidelines: > >>>>>>>>>>>> https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>>>>>>>>>> List Archives: > >>>>>>>>>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >>>>>>>>>>>> > >>>>>>>>>>> > >>>>>>>>> > >>>>>> > >>>>> _______________________________________________ > >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > >>>>> To unsubscribe send an email to > >>>>> freeipa-users-le...@lists.fedorahosted.org > >>>>> Fedora Code of Conduct: > >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > >>>>> List Archives: > >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > >>>>> > >>>> > >> > _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
