Juan Pablo Lorier via FreeIPA-users <[email protected]> writes:
> Hi Rob, > > All dates are good once I add the pin manually. The only problem is > the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run > the updater. I don’t know what is not right with the certs. Maybe you > can point me in a direction to look at the logs. Let me share the > getcert list once I manually fixed the pin: Can you perhaps compare the requests for one certificate before and after the upgrade? The requests are stored in /var/lib/certmonger/requests. Let's focus on one certificate first, for example: key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' I'd try something like that: - save /var/lib/certmonger/requests somewhere - try the upgrade once again - save /var/lib/certmonger/requests again, somwhere else - compare and see what the differences really are Depending on the differences - and needs some creative thinking: - reset the system to the state before the upgrade - stop certmonger - replace /var/lib/certmonger/requests with the second copy (from after the upgrade) - We need to get certmonger and ipa-server-upgrade be happy with these requests, so the request don't get changed during the next upgrade. I've had a look at the logs of the last ipaupgrade.log. For each certificcate I see: 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal configuration] ... 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration already up-to-date I guess the second line for you says something like "...config updated". We need to see, if the lines between have some clues for us. In a post upthread you posted the console output: Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated Also upthread you posted: >>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and >>>>> enabled; skipping >>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>>> 2022-11-30T16:07:49Z DEBUG request GET >>>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>>> Traceback (most recent call last): >>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line In my upgrade log this is after updating/checing the certmonger requests. So my guess is there's something strange with your configuration in /var/lib/certmonger/requests. So, can you provide more of your ipaupgrade.log where the certmonger requests are checked/updated and one request before/after? Jochen -- This space is intentionally left blank. _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
