[Freeipa-users] Re: Freeipa-Let's Encrypt certificates renovation issue

[Z Altzibar via FreeIPA-users]

getcert list
Number of certificates and requests being tracked: 7.
Request ID '20241125032104':
        status: MONITORING
        stuck: no
        key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
        certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.XXX
        subject: CN=IPA RA,O=XXXX.XXX
        issued: 2023-09-06 15:45:03 CEST
        expires: 2025-08-26 15:45:03 CEST
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        profile: caSubsystemCert
        pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20241125032105':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.XXX
        subject: CN=CA Audit,O=XXXX.XXX
        issued: 2023-09-06 15:45:49 CEST
        expires: 2025-08-26 15:45:49 CEST
        key usage: digitalSignature,nonRepudiation
        profile: caSignedLogCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20241125032106':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.XXX
        subject: CN=OCSP Subsystem,O=XXXX.XXX
        issued: 2023-09-06 15:46:10 CEST
        expires: 2025-08-26 15:46:10 CEST
        eku: id-kp-OCSPSigning
        profile: caOCSPCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20241125032107':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.XXX
        subject: CN=CA Subsystem,O=XXXX.XXX
        issued: 2023-09-06 15:45:19 CEST
        expires: 2025-08-26 15:45:19 CEST
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-clientAuth
        profile: caSubsystemCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20241125032108':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.XXX
        subject: CN=Certificate Authority,O=XXXX.XXX
        issued: 2021-10-13 16:22:25 CEST
        expires: 2041-10-13 16:22:25 CEST
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        profile: caCACert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20241125032109':
        status: MONITORING
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=XXXX.XXX
        subject: CN=ipaalmasec.XXXX.XXX,O=XXXX.XXX
        issued: 2024-11-25 04:20:17 CET
        expires: 2026-11-15 04:20:17 CET
        dns: ipaalmasec.XXXX.XXX
        key usage: digitalSignature,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        profile: caServerCert
        pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
        post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20250604072910':
        status: MONITORING
        stuck: no
        key pair storage: 
type=FILE,location='/var/kerberos/krb5kdc/kdc.key',perms=0600
        certificate: 
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt',perms=0644
        CA: SelfSign
        issuer: CN=ipaalmasec.XXXX.XXX,O=XXXX.XXX
        subject: CN=ipaalmasec.XXXX.XXX,O=XXXX.XXX
        issued: 2025-06-04 09:29:10 CEST
        expires: 2026-06-04 09:29:10 CEST
        dns: ipaalmasec.XXXX.XXX
        principal name: krbtgt/xxxx....@xxxx.xxx
        certificate template/profile: KDCs_PKINIT_Certs
        profile: KDCs_PKINIT_Certs
        pre-save command: 
        post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
        track: yes
        auto-renew: yes
-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue