Hi, in your previous email, the output of certutil shows that the new root CA isn't trusted in some databases (flag is ,, instead of CT,C,C). You can change the trust flags with certutil -M -t CT,C,C -d <path/to/db> -n <nickname>.
The 2nd thing to take into account: if you change the date in the past in order to renew a certificate, you need to pick a date where all certificates are still valid and also *already* valid. For instance if the LDAP cert was renewed March 1, 2022 and is already in use, you cannot pick a date before this "valid from" date. Are you able to find such a date in the past and successfully start all IPA services without the --ignore-service-failure option? If yes, then you should be able to launch "getcert resubmit -i 20170113205244" in order to renew ipaCert. flo On Mon, Mar 14, 2022 at 1:31 PM Eric Boisvert via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Good morning Everyone, > > I made little progress this weekend. I'm currently in a state where all my > service in the ipactl status command are running, but if I restart, the > pki-tomcatd service show netscape.ldap.LDAPException: Authentication failed > (48) in the debug ouput when executing ipactl -r restart > --ignore-service-failure. > > The new output of getcert list look like follow: > > > # getcert list > > Number of certificates and requests being tracked: 8. > > Request ID '20170113205242': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=CA Audit,O=QC.LRTECH.CA > > expires: 2024-03-01 19:02:05 UTC > > key usage: digitalSignature,nonRepudiation > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205243': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=OCSP Subsystem,O=QC.LRTECH.CA > > expires: 2024-03-01 19:01:55 UTC > > eku: id-kp-OCSPSigning > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205244': > > status: CA_UNREACHABLE > > ca-error: Error 60 connecting to > https://dc01.qc.lrtech.ca:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=CA Subsystem,O=QC.LRTECH.CA > > expires: 2022-03-03 20:49:21 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205245': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA > 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA > > subject: CN=Certificate Authority,O=QC.LRTECH.CA > > expires: 2027-03-04 14:26:48 UTC > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205246': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=IPA RA,O=QC.LRTECH.CA > > expires: 2024-03-01 19:02:15 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > > track: yes > > auto-renew: yes > > Request ID '20170113205247': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > > CA: dogtag-ipa-renew-agent > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > > expires: 2024-03-01 18:56:41 UTC > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > > track: yes > > auto-renew: yes > > Request ID '20170113205302': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-QC-LRTECH-CA/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > > expires: 2024-03-03 06:00:39 UTC > > principal name: ldap/freeipa.qc.lrtech...@qc.lrtech.ca > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > QC-LRTECH-CA > > track: yes > > auto-renew: yes > > Request ID '20220304195651': > > status: MONITORING > > stuck: no > > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > > CA: IPA > > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > > expires: 2024-03-03 06:00:49 UTC > > dns: freeipa.qc.lrtech.ca > > principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca > > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > eku: id-kp-serverAuth,id-kp-clientAuth > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > There's something wrong with the Request ID '20170113205244'. > I have Error 60 connecting to > https://dc01.qc.lrtech.ca:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > > I found this link on Rob's blog > https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ > but it didn't work for me or I forgot to update something. > > Also I might have messed up something when I tried to create my Root and > FreeIPA certificates for the first time. I forgot to change the date and > the newly created certificate valid time (2022-03-04) was after the > expiration date of the old one (2022-03-03). To fix this issue I create a > new Root and FreeIPA certificates (2022-03-01) and this might explain why > some certificate where renew march 1, 3 and 4. > > Thank you for your help > > > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
