Marc Boorshtein via FreeIPA-users wrote: > I'm trying to fix a freeipa 4.6 cluster running on centos 7 that has > expired directory and http certificates. I turned back the clock so > that the certs would be valid and am trying to run ipa-cert-fix but its > failing with: > > INFO: Loading password config: /etc/pki/pki-tomcat/password.conf > INFO: Fixing the following system certs: ['sslserver'] > INFO: Renewing the following additional certs: ['21'] > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > INFO: Stopping the instance to proceed with system cert renewal > INFO: Configuring LDAP password authentication > INFO: Setting pkidbuser password via ldappasswd > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > INFO: Selftests disabled for subsystems: ca > INFO: Resetting password for uid=ipara,ou=people,o=ipaca > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > INFO: Creating a temporary sslserver cert > INFO: Getting sslserver cert info for ca > INFO: Trying to create a new temp cert for sslserver. > INFO: Generate temp SSL certificate > INFO: Getting sslserver cert info for ca > INFO: Selftests enabled for subsystems: ca > INFO: Restoring previous LDAP configuration > ERROR: Unable to find CSR for sslserver cert > > AFter doing some searching I > found https://access.redhat.com/solutions/4852721 but the instructions > aren't applying to me because there's no CSR in the request: > > Request ID '20210601131820': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=CA Subsystem,O=RHELENT.LAN > expires: 2023-05-01 18:04:11 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > > then look for a csr: > > [root@freeipa ~]# grep -A 19 csr > /var/lib/certmonger/requests/20210601131820 > [root@freeipa ~]# > > Is there something i can do to get the ca subsystem cert re-issued?
It didn't fail on the subsystem certificate, it failed on the TLS certificate for the CA itself (it seems). You can check that with: getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" If it expires in 2023 then you're ok with the CA anyhow. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure