Mm. Actually, I'm not so sure. Am I not interpreting the "getcert list" results correctly? When it says CA_UNREACHABLE because the cert expired, isn't that the CA Cert?
Number of certificates and requests being tracked: 9. Request ID '20201114211025': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=IPA RA,O=[domain.com] expires: 2022-11-04 14:10:27 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20201114211106': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:49 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211107': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:53 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211108': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-04 14:11:32 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211109': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-11 14:11:50 MST key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211110': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=[domain.com] subject: CN=localhost expires: 2022-11-04 14:11:40 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20201114211316': status: CA_UNREACHABLE ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-SIMPLYWS-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-SIMPLYWS-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:13:16 MST dns: ipa01.[domain.com] principal name: ldap/ipa01.[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv SIMPLYWS-COM track: yes auto-renew: yes Request ID '20201114211418': status: CA_UNREACHABLE ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.[domain.com]-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:14:22 MST dns: ipa01.[domain.com] principal name: HTTP/ipa01.[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20201114211427': status: CA_UNREACHABLE ca-error: Server at https://ipa01.[domain.com]/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: SSL certificate problem: certificate has expired). stuck: no key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key' certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=[domain.com] subject: CN=ipa01.[domain.com],O=[domain.com] expires: 2022-11-15 14:14:27 MST principal name: krbtgt/[domain.com]@[domain.com] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue