Hi, On Mon, May 16, 2022 at 5:19 PM Serge Krawczenko via FreeIPA-users < [email protected]> wrote:
> Greetings,all > > I've been observing multiple issues for some time, unable to enroll new > clients etc. > Finally found out that the possible root cause is the expired Server-Cert > cert-pki-ca and therefore pki-tomcat service won't start > > Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/ > > Request ID '20171204131518': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=.... > subject: CN=.... > expires: 2022-04-25 17:06:51 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > > Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but this one. > > which IPA version do you have? The tool ipa-cert-fix was introduced with ipa 4.7.3+ and may help you solve certificate renewal issues. But before you start anything, please make sure to identify which server is your CA renewal master and follow the instructions from https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline flo > I'd like to understand how to perform the forced update for this one, i > assume it must be renewed automatically though > > I tried to invoke post-save command manually but no luck. > Appreciate any ideas > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
