Hi , This time I can't blame certmonger for not renewing my freeipa certs because they were not added to the tracking list. Now I have manually added them by following the KB article "https://access.redhat.com/articles/4062581";. Once added i followed the following article to update it manually by following the KB article "https://access.redhat.com/solutions/3357261";. Even performing all the steps where i had to reverse the system time and submitting the manual renewal request using "ipa-getcert resubmit -i [Request ID]" command, i have no luck renewing the following one. "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca". Here is my getcert list command output: Number of certificates and requests being tracked: 8. Request ID '20220903192955': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=CA Audit,O=XYZ.COM expires: 2022-07-07 09:02:50 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220903193147': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=OCSP Subsystem,O=XYZ.COM expires: 2022-07-07 09:01:40 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220903193259': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=CA Subsystem,O=XYZ.COM expires: 2022-07-27 16:09:07 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20220903193355': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM expires: 2022-07-27 16:08:27 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20220903193457': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM expires: 2024-07-06 13:07:27 UTC principal name: krbtgt/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20220903193541': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=IPA RA,O=XYZ.COM expires: 2022-07-27 16:08:37 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20220903193608': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM expires: 2024-07-06 13:08:14 UTC principal name: HTTP/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20220903194017': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-XYZ.COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-XYZ.COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-XYZ.COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=XYZ.COM subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM expires: 2024-07-06 13:08:32 UTC principal name: ldap/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv slapd-XYZ.COM track: yes auto-renew: yes Here is the output of the ipactl status command, all services run but pki-tomcatd Service: STOPPED [root@hq-idm-lxd-01 tmp]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING named Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: STOPPED smb Service: RUNNING winbind Service: RUNNING ipa-otpd Service: RUNNING ipa-dnskeysyncd Service: RUNNING ipa: INFO: The ipactl command was successful The output of the log /var/log/pki/pki-tomcat/ca/debug Internal Database Error encountered: Could not connect to LDAP server host hq-idm-lxd-01.linuxdev.addev.ssa.gov port 636 Error netscape.ldap.LDAPException: Authentication failed (48) Finally [root@hq-idm-lxd-01 tmp]# ipa --version VERSION: 4.6.5, API_VERSION: 2.231 [root@hq-idm-lxd-01 tmp]# cat /etc/redhat-release CentOS Linux release 7.7.1908 (Core) Due to my limited knowledge of certs and IPA , i would like someone to help me mitigate this issue. I have exhausted all my resources but still no luck VR Z Sahibzada _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] yet another certificate renewal issue
Ahmad Sahibzada via FreeIPA-users Sat, 03 Sep 2022 21:54:01 -0700
- [Freeipa-users] yet another certif... Ahmad Sahibzada via FreeIPA-users
- [Freeipa-users] Re: yet anoth... Florence Blanc-Renaud via FreeIPA-users
- [Freeipa-users] Re: yet a... Ahmad Sahibzada via FreeIPA-users
- [Freeipa-users] Re: y... Florence Blanc-Renaud via FreeIPA-users
- [Freeipa-users] R... Ahmad Sahibzada via FreeIPA-users
