[Freeipa-users] expired lets encrypt certificates - how to fix/reinstall

Sun, 10 Jan 2021 14:31:45 -0800 

So I have this problem where the certificates have expired.  I created a new 
one but however when trying to apply the new certs using 
ipa-server-certinstall, http works but when trying to get it to apply to ldap 
it fails with a "peer's certificate issuer is not recognized".  

looking at the logs it looks like the PKI-TOMCAT instances keeps failing, which 
then following it, the CA is not running, and continuing to follow the trail 
the certmonger service is failing to start as well with a variety of errors.  

so my path now is a) keep trying to recover or b) do a reinstall.  

if I choose option b, will any data (ldap or otherwise) be completely wiped?  
I'm more interested in preserving the DNS and user/group data more than 
anything.

running IPA 4.8.7-12 on CentOS 8. 

getcert list output : 

Request ID '20200412103127':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080335':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080336':
        status: CA_UNREACHABLE
        ca-error: Error 7 connecting to 
http://ipa.xxxx.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
--
Request ID '20210102080337':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080338':
        status: CA_UNREACHABLE
        ca-error: Error 7 connecting to 
http://ipa.xxxx.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
--
Request ID '20210102080339':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080340':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210104092449':
        status: CA_UNCONFIGURED
        ca-error: Unable to determine principal name for signing request.
        stuck: yes
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-XXXX-NET',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-XXXX-NET/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-XXXX-NET',nickname='Server-Cert'
        CA: IPA
--
Request ID '20210104093724':
        status: MONITORING
        stuck: no
        key pair storage: 
type=FILE,location='/etc/letsencrypt/live/ipa.xxxx.net/privkey.pem'
        certificate: 
type=FILE,location='/etc/letsencrypt/live/ipa.xxxx.net/fullchain.pem'
        CA: IPA
        issuer: CN=R3,O=Let's Encrypt,C=US

(domain info edited out)

I can provide whatever log/output needed to help me get past this problem.  
thanks.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to