Ricardo Mendes via FreeIPA-users wrote: >>I think you need to see what certs and keys are in /etc/httpd/alias. >> Sounds like there is no Server-Cert nickname. > > certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt > certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt > > This is the output, and I'm adding getcert list in the end as well. > > > # certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > DSTRootCAX3 C,, > CN=main.domain.io u,u,u > letsencryptx3 C,, > letsencryptx3 C,, > ISRGRootCAX1 C,, > DOMAIN.IO IPA CA CT,C, > > # certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt > certutil: Checking token "NSS Certificate DB" in slot "NSS User Private > Key and Certificate Services" > < 0> rsa 493a92843c598413e3f50ca923706417821bf392 CN=main.domain.io > < 1> rsa e946257bb7a486f489287ccd72dab14067eae2b7 CN=main.domain.io > < 2> rsa 8bbe08dd006063eea896aee19f24da6b5f28f348 CN=main.domain.io > < 3> rsa ac96e477d65db3ba63213332c30ac7733bf70a10 (orphan) > < 4> rsa b40bea3d28cce1ea7274f8ecf47b2d70f5e0c0c1 CN=main.domain.io > # >
Right the cert nickname is CN=main.domain.io. I'm assuming you manually installed the LE certs originally using ipa-server-certinstall right? That doesn't follow the pattern of using Server-Cert for the nickname by default. You can probably just hack the LE script and replace Server-Cert with CN=main.domain.io. It's important to know that the LE script was written specifically for the IPA demo site and a repo created to share the general method. It isn't shipped with IPA or otherwise really supported at all. No backwards compatibility testing is done, just what is needed for the demo site. So while it might eventually work fine for you it isn't intended to be a general-purpose tool. rob > # getcert list > Number of certificates and requests being tracked: 7. > Request ID '20190220114014': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=main.domain.io,O=DOMAIN.IO > expires: 2021-02-20 11:40:16 UTC > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20190819230939': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=CA Audit,O=DOMAIN.IO > expires: 2021-02-09 11:36:51 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190819230940': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=OCSP Subsystem,O=DOMAIN.IO > expires: 2021-02-09 11:36:48 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190819230941': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=CA Subsystem,O=DOMAIN.IO > expires: 2021-02-09 11:36:50 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190819230942': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=Certificate Authority,O=DOMAIN.IO > expires: 2039-02-20 11:36:43 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190819230943': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=IPA RA,O=DOMAIN.IO > expires: 2021-02-09 11:37:44 UTC > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20190819230944': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOMAIN.IO > subject: CN=main.domain.io,O=DOMAIN.IO > expires: 2021-02-09 11:36:49 UTC > dns: main.domain.io > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > > >> > (btw https://lists.fedoraproject.org is down) > >> Related to the Fedora infrastructure move. > > hope all is going well! > > Ricardo > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected]
