Yes, running on CentOS 7.9. Just for testing sake I did update one of the servers to a later version of IPA that has ipa-cert-fix, and tried running it, it returned this (CN partially censored)
# ipa-cert-fix The following certificates will be renewed: Dogtag subsystem certificate: Subject: CN=vault-hv1.***,O=IPA.****.NET Serial: 1073676328 Expires: 2021-03-08 04:56:05 IPA IPA RA certificate: Subject: CN=iso1.***,O=IPA.***.NET Serial: 1073676325 Expires: 2021-03-08 03:28:16 Enter "yes" to proceed: yes Proceeding. Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-IPA-***-NET.socket --agent-uid ipara --cert subsystem --extra-cert 1073676325' returned non-zero exit status 1 So even still, when running ipactl start, pki-tomcat won't start. Here we see that the CN are wrong on both of these certificates. I still don't know how that happened. I can certainly roll back all 6 servers to before I removed the errant CA Subsystem cert, but it still won't renew. Then there is the discrepancy between what this shows and what I see if I do ldapsearch -LLL -D 'cn=directory manager' -W -b uid=pkidbuser,ou=people,o=ipaca userCertificate description seeAlso It returns the cert with the correct CN of CA Subsystem. Then in /etc/pki/pki-tomcat/ca/CS.cfg, the two lines ca.subsystem.cert - Has incorrect cert with errant CN from above ca.subsystem.certreq - Has request with correct CN So to me the problem stems from this incorrect CN that seems to be in the NSS DB in /etc/pki/pki-tomcat/alias while and ldapsearch returns the correct CN name certificate that expired back on 8 March of this year. For the IPA RA certificate, I was able to fix that and now certutil list on all 6 servers has that being monitored and not expiring until 2026. It's just this CA Subsystem cert that I am stumped on. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
