Hi Rob,
All dates are good once I add the pin manually. The only problem is the
NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I
don’t know what is not right with the certs. Maybe you can point me in a
direction to look at the logs. Let me share the getcert list once I manually
fixed the pin:
getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221201164512':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=CA Audit,O=TNU.COM.UY
issued: 2021-11-09 15:11:14 -03
expires: 2023-10-30 15:11:14 -03
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164513':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=OCSP Subsystem,O=TNU.COM.UY
issued: 2021-11-09 15:12:03 -03
expires: 2023-10-30 15:12:03 -03
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164514':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=CA Subsystem,O=TNU.COM.UY
issued: 2021-11-09 15:11:13 -03
expires: 2023-10-30 15:11:13 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164515':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=Certificate Authority,O=TNU.COM.UY
issued: 2022-08-26 14:25:16 -03
expires: 2042-08-26 14:25:16 -03
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164516':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164517':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221201164518':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221201164519':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
After running ipa-server-upgrade
getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221201205524':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201205525':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201205526':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201205527':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201205528':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201205529':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221201205530':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221201205531':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
> El 1 dic. 2022, a las 16:04, Rob Crittenden <[email protected]> escribió:
>
> Juan Pablo Lorier wrote:
>> Hi Rob,
>>
>> I do manually add the pin and they get in MONITORING state, but the IPA
>> server is not consistent because the upgrade never completes.
>> If I try to run the upgrade, the process renews the certs and they go
>> back to stuck state. Look at the upgrade output I sent and then you can
>> see that those certs get into stuck because of the missing pin:
>
> This doesn't renew the certs, it is attempting to fix the broken
> tracking, and failing I assume.
>
> MONITORING doesn't mean the certificates are still valid. You need to
> look at the expires date to determine that.
>
> rob
>
>>
>>>> [Update certmonger certificate renewal configuration]
>>>> Missing or incorrect tracking request for certificates:
>>>> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
>>>> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
>>>> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
>>>> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
>>>> Certmonger certificate renewal configuration updated
>>
>>
>>
>>> El 1 dic. 2022, a las 13:52, Rob Crittenden <[email protected]
>>> <mailto:[email protected]>
>>> <mailto:[email protected] <mailto:[email protected]>>> escribió:
>>>
>>> Juan Pablo Lorier wrote:
>>>> Ok, I fixed the certs following other ticket but using the pin file
>>>> pointed in the link you sent me.
>>>> Result:
>>>>
>>>> ipa-getcert start-tracking -i 20221201163932 -p
>>>> /etc/pki/pki-tomcat/alias/pwdfile.txt
>>>
>>> I don't know what request 20221201163932 is but you need to add the pin
>>> file to all of the CA-related trackers.
>>>
>>> rob
>>>
>>>>
>>>> But it seems that the spa-server-upgrade brakes them again:
>>>>
>>>> named user config '/etc/named/ipa-ext.conf' already exists
>>>> named user config '/etc/named/ipa-options-ext.conf' already exists
>>>> named user config '/etc/named/ipa-logging-ext.conf' already exists
>>>> [Upgrading CA schema]
>>>> CA schema update complete
>>>> [Update certmonger certificate renewal configuration]
>>>> Missing or incorrect tracking request for certificates:
>>>> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
>>>> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
>>>> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
>>>> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
>>>> Certmonger certificate renewal configuration updated
>>>> [Enable PKIX certificate path discovery and validation]
>>>> PKIX already enabled
>>>> [Authorizing RA Agent to modify profiles]
>>>> [Authorizing RA Agent to manage lightweight CAs]
>>>> [Ensuring Lightweight CAs container exists in Dogtag database]
>>>> [Adding default OCSP URI configuration]
>>>> [Disabling cert publishing]
>>>> pki-tomcat configuration changed, restart pki-tomcat
>>>> [Ensuring CA is using LDAPProfileSubsystem]
>>>> [Migrating certificate profiles to LDAP]
>>>> Migrating profile 'acmeServerCert'
>>>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>>>> command ipa-server-upgrade manually.
>>>> Unexpected error - see /var/log/ipaupgrade.log for details:
>>>> NetworkError: cannot connect to
>>>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
>>>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>>>> more information
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> Request ID '20221201164512':
>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>> stuck: yes
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>>> cert-pki-ca'
>>>> certificate:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>>>> cert-pki-ca'
>>>> CA: dogtag-ipa-ca-renew-agent
>>>> issuer:
>>>> subject:
>>>> issued: unknown
>>>> expires: unknown
>>>> profile: caSignedLogCert
>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "auditSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20221201164513':
>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>> stuck: yes
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>>> cert-pki-ca'
>>>> certificate:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
>>>> cert-pki-ca'
>>>> CA: dogtag-ipa-ca-renew-agent
>>>> issuer:
>>>> subject:
>>>> issued: unknown
>>>> expires: unknown
>>>> profile: caOCSPCert
>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "ocspSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20221201164514':
>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>> stuck: yes
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>>> cert-pki-ca'
>>>> certificate:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>>>> cert-pki-ca'
>>>> CA: dogtag-ipa-ca-renew-agent
>>>> issuer:
>>>> subject:
>>>> issued: unknown
>>>> expires: unknown
>>>> profile: caSubsystemCert
>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "subsystemCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>> Request ID '20221201164515':
>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>> stuck: yes
>>>> key pair storage:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>>> cert-pki-ca'
>>>> certificate:
>>>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>>>> cert-pki-ca'
>>>> CA: dogtag-ipa-ca-renew-agent
>>>> issuer:
>>>> subject:
>>>> issued: unknown
>>>> expires: unknown
>>>> profile: caCACert
>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>>>> "caSigningCert cert-pki-ca"
>>>> track: yes
>>>> auto-renew: yes
>>>>
>>>>> El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <[email protected]
>>>>> <mailto:[email protected]>
>>>>> <mailto:[email protected] <mailto:[email protected]>>
>>>>> <mailto:[email protected]>> escribió:
>>>>>
>>>>> Thanks Jochen,
>>>>>
>>>>> I tried following the post but the getcert command is complaining
>>>>> about the syntax and I can’t find why. According to man page, the
>>>>> parameters are right.
>>>>>
>>>>> I also tried to remove the certs and run spa-server-upgrade but it
>>>>> generates new certs and fails at the same point (new certs are also
>>>>> pending pin information)
>>>>> It looks like I will need a way to unstuck those certs for the upgrade
>>>>> to continue.
>>>>> All suggestions are Wellcome :-)
>>>>> Regards
>>>>>
>>>>>> El 1 dic. 2022, a las 01:30, Jochen Kellner <[email protected]
>>>>>> <mailto:[email protected]>
>>>>>> <mailto:[email protected] <mailto:[email protected]>>
>>>>>> <mailto:[email protected] <mailto:[email protected]>>> escribió:
>>>>>>
>>>>>>
>>>>>> Hello Juan,
>>>>>>
>>>>>> Juan Pablo Lorier via FreeIPA-users
>>>>>> <[email protected]
>>>>>> <mailto:[email protected]>
>>>>>> <mailto:[email protected]
>>>>>> <mailto:[email protected]>>
>>>>>> <mailto:[email protected]>> writes:
>>>>>>
>>>>>>> You are right, there are several certificates stuck in dc2:
>>>>>>>
>>>>>>> getcert list
>>>>>> ...
>>>>>>> Request ID '20221130160320':
>>>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>>>
>>>>>> My google-fu point to that comment in an issue:
>>>>>> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-659962943
>>>>>> That has the commands to fix the issue.
>>>>>>
>>>>>> Another possibility should be to stop-tracking the certificates and run
>>>>>> ipa-server-upgrade which should restore the trackings. Right?
>>>>>>
>>>>>> Jochen
>>>>>>
>>>>>> --
>>>>>> This space is intentionally left blank.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
