So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA 
server:

ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot 
connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial': 
[Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).

Figured out that it uses the certs in /var/lib/pki-ca/alias.

Per 

https://docs.fedoraproject.org/en%2dUS/Fedora/15/html/FreeIPA_Guide/certmonger%2dtracking%2dcerts.html

I tried adding it to cert monger:

# ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n 
Server-Cert -r
New tracking request "CAServerCert" added.

But ipa-getcert list now tells me:

Request ID 'CAServerCert':
        status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
        stuck: yes
        key pair storage: type=NSSDB,location='/var/lib/pki-
ca/alias',nickname='Server-Cert'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-
Cert'
        CA: IPA
        issuer: 
        subject: 
        expires: unknown
        track: yes
        auto-renew: yes

Okie dokie...where might I be able to find the PIN for the cert?  I see that 
the certs for httpd and slapd have a path to a pinfile, but I can't find 
anything like that for the CA cert.  I'm quite stuck. This expired cert, I'm 
pretty sure, is what is preventing me from using this machine to migrate to a 
new 3.0 machine (via replication).

Any ideas how to get the CA cert renewed? 

I know how to generate a CSR and a cert, but I'm not sure 1) how I would add 
it into the cert DB, and 2) how I can add it without invalidating all my other 
certs.

Any help would be fantastic!

j


-- 
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
jos...@azariah.com - Jabber: pedah...@gmail.com
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to