Hi , This time I can't blame certmonger for not renewing my freeipa certs 
because they were not added to the tracking list. Now I have manually added 
them by following the KB article "https://access.redhat.com/articles/4062581";. 
Once added i followed the following article to update it manually by following 
the KB article "https://access.redhat.com/solutions/3357261";. Even performing 
all the steps where i had to reverse the system time and submitting the manual 
renewal request using "ipa-getcert resubmit -i [Request ID]" command, i have no 
luck renewing the following one.
"auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert 
cert-pki-ca" "Server-Cert cert-pki-ca". Here is my getcert list command output:
Number of certificates and requests being tracked: 8.
Request ID '20220903192955':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=CA Audit,O=XYZ.COM
        expires: 2022-07-07 09:02:50 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20220903193147':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=OCSP Subsystem,O=XYZ.COM
        expires: 2022-07-07 09:01:40 UTC
        eku: id-kp-OCSPSigning
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20220903193259':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=CA Subsystem,O=XYZ.COM
        expires: 2022-07-27 16:09:07 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20220903193355':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM
        expires: 2022-07-27 16:08:27 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20220903193457':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
        certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM
        expires: 2024-07-06 13:07:27 UTC
        principal name: krbtgt/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-pkinit-KPKdc
        certificate template/profile: KDCs_PKINIT_Certs
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
Request ID '20220903193541':
        status: MONITORING
        ca-error: Unable to determine principal name for signing request.
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=IPA RA,O=XYZ.COM
        expires: 2022-07-27 16:08:37 UTC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20220903193608':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM
        expires: 2024-07-06 13:08:14 UTC
        principal name: HTTP/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
Request ID '20220903194017':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-XYZ.COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-XYZ.COM/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-XYZ.COM',nickname='Server-Cert',token='NSS
 Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=XYZ.COM
        subject: CN=hq-idm-lxd-01.xyz.com,O=XYZ.COM
        expires: 2024-07-06 13:08:32 UTC
        principal name: ldap/[email protected]
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
slapd-XYZ.COM
        track: yes
        auto-renew: yes
Here is the output of the ipactl status command, all services run but 
pki-tomcatd Service: STOPPED
[root@hq-idm-lxd-01 tmp]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
The output of the log /var/log/pki/pki-tomcat/ca/debug
  Internal Database Error encountered: Could not connect to LDAP server host 
hq-idm-lxd-01.linuxdev.addev.ssa.gov port 636 Error 
netscape.ldap.LDAPException: Authentication failed (48)
Finally 
[root@hq-idm-lxd-01 tmp]# ipa --version
VERSION: 4.6.5, API_VERSION: 2.231
[root@hq-idm-lxd-01 tmp]# cat /etc/redhat-release
CentOS Linux release 7.7.1908 (Core)
Due to my limited knowledge of certs and IPA , i would like someone to help me 
mitigate this issue. I have exhausted all my resources but still no luck
VR
Z Sahibzada
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to