Hi Rob, I do manually add the pin and they get in MONITORING state, but the IPA server is not consistent because the upgrade never completes. If I try to run the upgrade, the process renews the certs and they go back to stuck state. Look at the upgrade output I sent and then you can see that those certs get into stuck because of the missing pin:
>> [Update certmonger certificate renewal configuration] >> Missing or incorrect tracking request for certificates: >> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >> Certmonger certificate renewal configuration updated > El 1 dic. 2022, a las 13:52, Rob Crittenden <[email protected]> escribió: > > Juan Pablo Lorier wrote: >> Ok, I fixed the certs following other ticket but using the pin file >> pointed in the link you sent me. >> Result: >> >> ipa-getcert start-tracking -i 20221201163932 -p >> /etc/pki/pki-tomcat/alias/pwdfile.txt > > I don't know what request 20221201163932 is but you need to add the pin > file to all of the CA-related trackers. > > rob > >> >> But it seems that the spa-server-upgrade brakes them again: >> >> named user config '/etc/named/ipa-ext.conf' already exists >> named user config '/etc/named/ipa-options-ext.conf' already exists >> named user config '/etc/named/ipa-logging-ext.conf' already exists >> [Upgrading CA schema] >> CA schema update complete >> [Update certmonger certificate renewal configuration] >> Missing or incorrect tracking request for certificates: >> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >> Certmonger certificate renewal configuration updated >> [Enable PKIX certificate path discovery and validation] >> PKIX already enabled >> [Authorizing RA Agent to modify profiles] >> [Authorizing RA Agent to manage lightweight CAs] >> [Ensuring Lightweight CAs container exists in Dogtag database] >> [Adding default OCSP URI configuration] >> [Disabling cert publishing] >> pki-tomcat configuration changed, restart pki-tomcat >> [Ensuring CA is using LDAPProfileSubsystem] >> [Migrating certificate profiles to LDAP] >> Migrating profile 'acmeServerCert' >> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >> command ipa-server-upgrade manually. >> Unexpected error - see /var/log/ipaupgrade.log for details: >> NetworkError: cannot connect to >> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >> more information >> >> >> >> >> >> Request ID '20221201164512': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer: >> subject: >> issued: unknown >> expires: unknown >> profile: caSignedLogCert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "auditSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20221201164513': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer: >> subject: >> issued: unknown >> expires: unknown >> profile: caOCSPCert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "ocspSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20221201164514': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer: >> subject: >> issued: unknown >> expires: unknown >> profile: caSubsystemCert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "subsystemCert cert-pki-ca" >> track: yes >> auto-renew: yes >> Request ID '20221201164515': >> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> stuck: yes >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca' >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca' >> CA: dogtag-ipa-ca-renew-agent >> issuer: >> subject: >> issued: unknown >> expires: unknown >> profile: caCACert >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >> track: yes >> auto-renew: yes >> >>> El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <[email protected] >>> <mailto:[email protected] <mailto:[email protected]>>> escribió: >>> >>> Thanks Jochen, >>> >>> I tried following the post but the getcert command is complaining >>> about the syntax and I can’t find why. According to man page, the >>> parameters are right. >>> >>> I also tried to remove the certs and run spa-server-upgrade but it >>> generates new certs and fails at the same point (new certs are also >>> pending pin information) >>> It looks like I will need a way to unstuck those certs for the upgrade >>> to continue. >>> All suggestions are Wellcome :-) >>> Regards >>> >>>> El 1 dic. 2022, a las 01:30, Jochen Kellner <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] <mailto:[email protected]>>> escribió: >>>> >>>> >>>> Hello Juan, >>>> >>>> Juan Pablo Lorier via FreeIPA-users >>>> <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected] >>>> <mailto:[email protected]>>> writes: >>>> >>>>> You are right, there are several certificates stuck in dc2: >>>>> >>>>> getcert list >>>> ... >>>>> Request ID '20221130160320': >>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>> >>>> My google-fu point to that comment in an issue: >>>> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-659962943 >>>> That has the commands to fix the issue. >>>> >>>> Another possibility should be to stop-tracking the certificates and run >>>> ipa-server-upgrade which should restore the trackings. Right? >>>> >>>> Jochen >>>> >>>> -- >>>> This space is intentionally left blank.
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
