I'm trying to fix a freeipa 4.6 cluster running on centos 7 that has expired directory and http certificates. I turned back the clock so that the certs would be valid and am trying to run ipa-cert-fix but its failing with:
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf INFO: Fixing the following system certs: ['sslserver'] INFO: Renewing the following additional certs: ['21'] SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Stopping the instance to proceed with system cert renewal INFO: Configuring LDAP password authentication INFO: Setting pkidbuser password via ldappasswd SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Selftests disabled for subsystems: ca INFO: Resetting password for uid=ipara,ou=people,o=ipaca SASL/EXTERNAL authentication started SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth SASL SSF: 0 INFO: Creating a temporary sslserver cert INFO: Getting sslserver cert info for ca INFO: Trying to create a new temp cert for sslserver. INFO: Generate temp SSL certificate INFO: Getting sslserver cert info for ca INFO: Selftests enabled for subsystems: ca INFO: Restoring previous LDAP configuration ERROR: Unable to find CSR for sslserver cert AFter doing some searching I found https://access.redhat.com/solutions/4852721 but the instructions aren't applying to me because there's no CSR in the request: Request ID '20210601131820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes then look for a csr: [root@freeipa ~]# grep -A 19 csr /var/lib/certmonger/requests/20210601131820 [root@freeipa ~]# Is there something i can do to get the ca subsystem cert re-issued? Thanks Marc Boorshtein
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
