On 01-10-2020 20:33, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> Can I safely do the following? >> >> ipa-getcert resubmit -i 20181127141739 >> ipa-getcert resubmit -i 20181127141749 >> ipa-getcert resubmit -i 20181127141750 >> ipa-getcert resubmit -i 20181127141751 > No. Only the renewal master should attempt renewing the certificates.
That conflicts with a remark from Florence in a thread with the subject "Replica not renewing IPA certificates" in January this year on this mailing list. "Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit." and the feedback from Roderick was "Thank you very much! The getcert resubmit has successfully renewed all the certificates in need of renewal." I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use it? And, if not, how is the renewal re-triggered (assuming I have manually patched /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie problem). Restarting certmonger did not help. Restarting all of IPA did not help. -- Kees > > The cookie error was fixed in > https://bugzilla.redhat.com/show_bug.cgi?id=1788907 > > A description of what is happening is at > https://github.com/freeipa/freeipa/commit/b5b9efeb57c010443c33c6f14f831abdbd804e78 > > Try restarting certmonger. > > rob > >> >> >> On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote: >>> **** EXTERNAL E-MAIL **** >>> >>> On the non-renewal masters there are 4 certificates that show >>> "ca-error: Invalid cookie: u''" >>> >>> Request ID '20181127141739': >>> ca-error: Invalid cookie: u'' >>> subject: CN=IPA RA,O=GHS.NL >>> expires: 2020-10-26 20:15:48 UTC >>> Request ID '20181127141749': >>> ca-error: Invalid cookie: u'' >>> subject: CN=CA Audit,O=GHS.NL >>> expires: 2020-10-26 20:15:32 UTC >>> Request ID '20181127141750': >>> ca-error: Invalid cookie: u'' >>> subject: CN=OCSP Subsystem,O=GHS.NL >>> expires: 2020-10-26 20:15:31 UTC >>> Request ID '20181127141751': >>> ca-error: Invalid cookie: u'' >>> subject: CN=CA Subsystem,O=GHS.NL >>> expires: 2020-10-26 20:15:32 UTC >>> >>> All of them are "system certificates" that are already renewed on the >>> CA Renewal Master. >>> >>> How do I get these renewed? I don't like to run whatever command, because >>> I'm too scared to break the system for good. >>> -- Kees >>> >>> >>> On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote: >>>> This now happened to me too. >>>> >>>> The solution in this thread was to copy /var/lib/ipa/ra-agent.* to >>>> the failing system. >>>> After that I was able to restart (ipactl restart). >>>> >>>> What remains a mystery is **why** this happened. >>>> >>>> In my case, we have three CA masters, one is the CA renewal master >>>> (of course). >>>> Two days ago, linge, the renewal master, renewed a few certificates. >>>> Here is a summary >>>> of journalctl. >>>> >>>> [root@linge ~]# journalctl | grep -E 'certmonger|dogtag' >>>> sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file >>>> "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. >>>> sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named >>>> "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" will not be valid after >>>> 20201026201532. >>>> sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named >>>> "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" will not be valid after >>>> 20201026201531. >>>> sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named >>>> "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database >>>> "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. >>>> sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: >>>> dogtag-ipa-renew-agent returned 0 >>>> sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named >>>> "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database >>>> "/etc/pki/pki-tomcat/alias" issued by CA and saved. >>>> sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: >>>> dogtag-ipa-renew-agent returned 0 >>>> sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named >>>> "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" issued by CA and saved. >>>> sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: >>>> dogtag-ipa-renew-agent returned 0 >>>> sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file >>>> "/var/lib/ipa/ra-agent.pem" issued by CA and saved. >>>> sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: >>>> dogtag-ipa-renew-agent returned 5 >>>> sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: >>>> Forwarding request to dogtag-ipa-renew-agent >>>> sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: >>>> dogtag-ipa-renew-agent returned 0 >>>> sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named >>>> "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" issued by CA and saved. >>>> >>>> Today (two days later) I looked at the two other CA masters to see if >>>> these same certificates were OK. >>>> I saw this: >>>> >>>> [root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' >>>> sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in >>>> file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. >>>> sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named >>>> "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" will not be valid after >>>> 20201026201532. >>>> sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named >>>> "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" will not be valid after >>>> 20201026201531. >>>> sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named >>>> "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database >>>> "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. >>>> sep 29 11:22:15 iparep3.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not >>>> available >>>> sep 29 11:22:16 iparep3.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not >>>> available >>>> sep 29 11:22:16 iparep3.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not >>>> available >>>> sep 29 11:22:17 iparep3.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not >>>> available >>>> sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 >>>> [428] Invalid cookie: u'' >>>> sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 >>>> [428] Invalid cookie: u'' >>>> sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 >>>> [428] Invalid cookie: u'' >>>> sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 >>>> [428] Invalid cookie: u'' >>>> >>>> [root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' >>>> sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file >>>> "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. >>>> sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named >>>> "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" will not be valid after >>>> 20201026201532. >>>> sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named >>>> "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in >>>> database "/etc/pki/pki-tomcat/alias" will not be valid after >>>> 20201026201531. >>>> sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named >>>> "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database >>>> "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. >>>> sep 29 13:00:57 rotte.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not >>>> available >>>> sep 29 13:00:58 rotte.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not >>>> available >>>> sep 29 13:01:08 rotte.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not >>>> available >>>> sep 29 13:01:08 rotte.ghs.nl >>>> dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not >>>> available >>>> sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 >>>> [97976] Invalid cookie: u'' >>>> sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 >>>> [97976] Invalid cookie: u'' >>>> sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 >>>> [97976] Invalid cookie: u'' >>>> sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 >>>> [97976] Invalid cookie: u'' >>>> >>>> So, both non-renewal masters started tried >>>> dogtag-ipa-ca-renew-agent-submit, and both failed with >>>> "Updated certificate not available" >>>> >>>> Next, I did a "yum update", hoping to get rid of the invalid cookie. >>>> This updated ipa from 4.6.5 to 4.6.6 >>>> The update failed because /var/lib/ipa/ra-agent.pem still had the old >>>> certificate. >>>> >>>> After manually copying ra-agent.* to the failing system I was able to >>>> restart ipa. However, I suspect >>>> that things are still not right. Too many certs on the non-renewal >>>> masters still need to be renewed. >>>> I'm digging further ... >>>> -- Kees >>>> >>>> On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote: >>>>> hi, >>>>> >>>>> after patching our centos 7 hosts to the latest version today, one >>>>> of the two replicas is having trouble. >>>>> >>>>> [root@kdc2 ~]# ipactl status >>>>> Directory Service: RUNNING >>>>> krb5kdc Service: STOPPED >>>>> kadmin Service: STOPPED >>>>> named Service: STOPPED >>>>> httpd Service: RUNNING >>>>> ipa-custodia Service: STOPPED >>>>> ntpd Service: STOPPED >>>>> pki-tomcatd Service: RUNNING >>>>> smb Service: STOPPED >>>>> winbind Service: STOPPED >>>>> ipa-otpd Service: STOPPED >>>>> ipa-dnskeysyncd Service: STOPPED >>>>> ipa: INFO: The ipactl command was successful >>>>> >>>>> and after digging in the logs I come across this in >>>>> /var/log/ipaupgrade.log: >>>>> >>>>> 2019-11-20T18:18:29Z DEBUG stderr= >>>>> 2019-11-20T18:18:31Z INFO Certmonger certificate renewal >>>>> configuration already up-to-date >>>>> 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery >>>>> and validation] >>>>> 2019-11-20T18:18:31Z DEBUG Loading StateFile from >>>>> '/var/lib/ipa/sysupgrade/sysupgrade.state' >>>>> 2019-11-20T18:18:31Z INFO PKIX already enabled >>>>> 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] >>>>> 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage >>>>> lightweight CAs] >>>>> 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists >>>>> in Dogtag database] >>>>> 2019-11-20T18:18:31Z DEBUG Created connection >>>>> context.ldap2_139740162547472 >>>>> 2019-11-20T18:18:31Z DEBUG flushing >>>>> ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache >>>>> 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache >>>>> url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket >>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> >>>>> 2019-11-20T18:18:31Z DEBUG Destroyed connection >>>>> context.ldap2_139740162547472 >>>>> 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] >>>>> 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] >>>>> 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] >>>>> 2019-11-20T18:18:31Z DEBUG Created connection >>>>> context.ldap2_139740160021648 >>>>> 2019-11-20T18:18:31Z DEBUG flushing >>>>> ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache >>>>> 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache >>>>> url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket >>>>> conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> >>>>> 2019-11-20T18:18:31Z DEBUG Destroyed connection >>>>> context.ldap2_139740160021648 >>>>> 2019-11-20T18:18:31Z DEBUG request GET >>>>> https://kdc2.l.domain.it:8443/ca/rest/account/login >>>>> 2019-11-20T18:18:31Z DEBUG request body '' >>>>> 2019-11-20T18:18:31Z DEBUG response status 401 >>>>> 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 >>>>> Cache-Control: private >>>>> Expires: Thu, 01 Jan 1970 01:00:00 CET >>>>> WWW-Authenticate: Basic realm="Certificate Authority" >>>>> Content-Type: text/html;charset=utf-8 >>>>> Content-Language: en >>>>> Content-Length: 951 >>>>> Date: Wed, 20 Nov 2019 18:18:31 GMT >>>>> >>>>> 2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache >>>>> Tomcat/7.0.76 - Error report</title><style><!--H1 >>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} >>>>> H2 >>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} >>>>> H3 >>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} >>>>> BODY >>>>> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} >>>>> B >>>>> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} >>>>> P >>>>> {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A >>>>> {color : black;}A.name {color : black;}HR {color : >>>>> #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR >>>>> size="1" noshade="noshade"><p><b>type</b> Status >>>>> report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This >>>>> request requires HTTP authentication.</u></p><HR size="1" >>>>> noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' >>>>> 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect >>>>> /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. >>>>> 2019-11-20T18:18:31Z DEBUG File >>>>> "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, >>>>> in execute >>>>> return_value = self.run() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", >>>>> line 54, in run >>>>> server.upgrade() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 2146, in upgrade >>>>> upgrade_configuration() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 2018, in upgrade_configuration >>>>> ca_enable_ldap_profile_subsystem(ca) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", >>>>> line 406, in ca_enable_ldap_profile_subsystem >>>>> cainstance.migrate_profiles_to_ldap() >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>>> line 2027, in migrate_profiles_to_ldap >>>>> _create_dogtag_profile(profile_id, profile_data, overwrite=False) >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", >>>>> line 2033, in _create_dogtag_profile >>>>> with api.Backend.ra_certprofile as profile_api: >>>>> File >>>>> "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line >>>>> 1315, in __enter__ >>>>> raise errors.RemoteRetrieveError(reason=_('Failed to >>>>> authenticate to CA REST API')) >>>>> >>>>> 2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, >>>>> exception: RemoteRetrieveError: Failed to authenticate to CA REST API >>>>> 2019-11-20T18:18:31Z ERROR Unexpected error - see >>>>> /var/log/ipaupgrade.log for details: >>>>> RemoteRetrieveError: Failed to authenticate to CA REST API >>>>> >>>>> >>>>> In this kdc I see these errors in getcert list: >>>>> >>>>> Request ID '20190220182014': >>>>> status: MONITORING >>>>> ca-error: Invalid cookie: u'' >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=L.DOMAIN.IT >>>>> <http://L.DOMAIN.IT> >>>>> subject: CN=CA Audit,O=L.DOMAIN.IT <http://L.DOMAIN.IT> >>>>> expires: 2019-12-05 13:58:24 UTC >>>>> key usage: digitalSignature,nonRepudiation >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "auditSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190220182015': >>>>> status: MONITORING >>>>> ca-error: Invalid cookie: u'' >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=L.DOMAIN.IT >>>>> <http://L.DOMAIN.IT> >>>>> subject: CN=OCSP Subsystem,O=L.DOMAIN.IT <http://L.DOMAIN.IT> >>>>> expires: 2019-12-05 13:58:24 UTC >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>>>> eku: id-kp-OCSPSigning >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "ocspSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190220182016': >>>>> status: MONITORING >>>>> ca-error: Invalid cookie: u'' >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=L.DOMAIN.IT >>>>> <http://L.DOMAIN.IT> >>>>> subject: CN=CA Subsystem,O=L.DOMAIN.IT <http://L.DOMAIN.IT> >>>>> expires: 2019-12-05 13:58:24 UTC >>>>> key usage: >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "subsystemCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> Request ID '20190220182018': >>>>> status: MONITORING >>>>> ca-error: Invalid cookie: u'' >>>>> stuck: no >>>>> key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' >>>>> certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=L.DOMAIN.IT >>>>> <http://L.DOMAIN.IT> >>>>> subject: CN=IPA RA,O=L.DOMAIN.IT <http://L.DOMAIN.IT> >>>>> expires: 2019-12-05 13:58:44 UTC >>>>> key usage: >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20190220182019': >>>>> status: MONITORING >>>>> ca-error: Server at >>>>> "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess"; replied: >>>>> 1: Invalid Credential. >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS >>>>> Certificate DB',pin set >>>>> certificate: >>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-ca-renew-agent >>>>> issuer: CN=Certificate Authority,O=L.DOMAIN.IT >>>>> <http://L.DOMAIN.IT> >>>>> subject: CN=kdc2.l.domain.it >>>>> <http://kdc2.l.domain.it>,O=L.DOMAIN.IT <http://L.DOMAIN.IT> >>>>> expires: 2019-12-10 10:57:52 UTC >>>>> key usage: >>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>>>> "Server-Cert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> I still have a working replica, so I could just reinstall and have a >>>>> working set in a couple of minutes, but I would like to find out >>>>> what has gone wrong. >>>>> >>>>> The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64 >>>>> >>>>> Any help welcome ;-) >>>>> >>>>> Thanks, >>>>> >>>>> -- >>>>> Groeten, >>>>> natxo >>>>> >>>>> _______________________________________________ >>>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>>> Fedora Code of Conduct: >>>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>>> List Archives: >>>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>>> >>>> _______________________________________________ >>>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>>> Fedora Code of Conduct: >>>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>>> List Archives: >>>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >>> >>> _______________________________________________ >>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >>> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >>> Fedora Code of Conduct: >>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >>> List Archives: >>> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> >> _______________________________________________ >> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org >> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org >> _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
