Travis West via FreeIPA-users wrote:
> The person who set this up is no longer available.  We have 6 IPA servers in 
> a cluster, all set as MASTER.  All servers are running IPA v. 4.6.4.
> On 8 March the CA Subsystem certificate expired.  When looking at the 
> certificate I noticed it had an incorrect Common Name, which may be why it 
> didn't renew.
> I checked the pki-tomcat CS.cfg and the two lines
> ca.subsystem.cert - Has cert with incorrect hostname listed
> ca.subsystem.certreq - Has cert request for correct ca subsystem cert (Common 
>  Name CA Subsystem)
> I tried removing the errant ca subsystem cert from the NSS DB in 
> pki-tomcat/alias and was successful.  I then tried to request a new SubSystem 
> Cert using this command
> getcert request -I CASubsystem -c dogtag-ipa-renew-agent -d 
> /etc/pki/pki-tomcat/alias -n 'subsystemCert cert-pki-ca' -N 'cn=CA 
> Subsystem,o=IPA.*****.NET' -P 'PIN_FROM_FILE' -t 'NSS Certificate DB'
> And that seems to at least have issued the request because 'getcert list' 
> shows the request, but with a CA_REJECTED message.
> If I do an ldapsearch for the certificate, it shows the the correct cert with 
> CN=CA Subystem, but the one that expired on 8 March.
> How can I get a valid CA Subsystem cert again so I can start the CA on all 
> IPA servers?

You are running a quite old version, on RHEL/CentOS 7.6 I presume? Later
versions provide a tool to address this, ipa-cert-fix, which isn't
available in 4.6.4.

You need to do a couple of things:
1. identify which server  is your renewal master. ipa config-show will
tell you. Otherwise you can restore to: ldapsearch -LLL -Q -Y GSSAPI -b

2. On the renewal master make sure it is tracking at least 8
certificates: getcert list will tell you. If it is then run getcert list
| grep expires

This will tell you how many certs have or will expire soon. All the CA
subsystem-related certificates expire at the same time so its likely
that multiple have expired.

Removing the cert wasn't a good idea. I don't think it will be
catastrophic to renewal but manually tweaking the cert database is not
generally recommended.

So assuming you have multiple certificates that all expired on the 8th
then what typically works is to disable chronyd/ntpd and use the date
command to go back in time. Restart all IPA services and then certmonger
and then watch it to see if the certificates are renewed.

FreeIPA-users mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:
Do not reply to spam, report it:

Reply via email to