>
> Looks like you're running into
> https://bugzilla.redhat.com/show_bug.cgi?id=1780782
>
> The fix wasn't backported to the ipa-4.6 branch.
>
> Try retrieving the CSR from certmonger as suggested in the BZ.
>
>

I tried that, bot no change:

# grep -A 19 csr  /var/lib/certmonger/requests/20210601131824
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ
 QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd
 DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN
 YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i
 6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N
 RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI
 pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo
 Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx
 ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV
 HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV
 HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB
 AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh
 0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC
 BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM
 zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE
 Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv
 0DU4gR7eTcjzO7TcKELQnBs=
 -----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==

Then, added

ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=

to /etc/pki/pki-tomcat/ca/CS.cfg, then run:

# ipa-cert-fix

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag sslserver certificate:
  Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
  Serial:  23
  Expires: 2021-06-08 16:53:15

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=RHELENT.LAN
  Serial:  21
  Expires: 2021-06-08 16:52:45

Enter "yes" to proceed: yes
Proceeding.
Command 'pki-server cert-fix --ldapi-socket
/var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver
--extra-cert 21' returned non-zero exit status 1
The ipa-cert-fix command failed.
[root@freeipa ca]# pki-server cert-fix --ldapi-socket
/var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver
--extra-cert 21
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert

thanks
Marc
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure

Reply via email to