Greg Harris wrote: > ARRRGGGHHHH!!! ’Server-Cert cert-pki-ca’ is missing again. Trying to > recover it from the /etc/pki/pki-tomcat/alias directory via pk12util is > not giving me the key, so that I can re-import it and get it trusted. > The certutil -L command is showing a trust of ‘,,’, rather than ‘u,u,u’ > because of the missing key. At this point, I think that I need to > regenerate that certificate, import it, and then reset it to tracking > the new one again. The piece I can’t seem to piece together is how to > generate that certificate. (Yeah, it’s probably simple and I’m so deep > in that I can’t see it.)
What version of IPA is this? It is unusual for a key to disappear. rob > > Thanks, > > GH > >> On Feb 1, 2022, at 3:03 PM, Rob Crittenden <[email protected] >> <mailto:[email protected]>> wrote: >> >> GH via FreeIPA-users wrote: >>> The best I could tell was an upgrade back in Dec. 2019/Jan. 2020. It >>> seems like it was a move from NSS to SSL for a number of pieces? >>> Anyways, I'd had Ipsilon configured on the same server, and that >>> move didn't make things happy as there was a port overlap. >>> (Unsupported configuration, I know.) Lots of reconfiguration and >>> copying certs around to get it straightened out. >>> >>> Right now, everything starts on both servers. However, on the >>> "secondary" that is not the renewal master, there's a number of >>> "certificate doesn't match the CS.cfg" errors. >>> 'ocspSigningCert cert-pki-ca' >>> 'subsystemCert cert-pki-ca' >>> 'Server-Cert cert-pki-ca' >>> 'auditSigningCert cert-pki-ca' >>> >>> Along with a: >>> "msg": "Incorrect NSS trust for Server-Cert cert-pki-ca. Got ,, >>> expected u,u,u", >>> >>> The "primary", which is the renewal master listed on both boxes, >>> shows none of those errors. At one point, I had figured out how to >>> "force sync" the certs, but I've since forgotten. >>> >> >> This means there is no associated private key with the certificate. The >> "Server-Cert cert-pki-ca" certificate is used by tomcat and is unique >> per installation. The others are common and need to be identical on >> all CAs. >> >> What does getcert list show? >> >> rob >> >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
