Joshua J. Kugler wrote:
So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
server:

ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot
connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial':
[Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).


I thought you said in a different thread that it wasn't the CA that was expired, but the tomcat cert.

Figured out that it uses the certs in /var/lib/pki-ca/alias.

Per

https://docs.fedoraproject.org/en%2dUS/Fedora/15/html/FreeIPA_Guide/certmonger%2dtracking%2dcerts.html

I tried adding it to cert monger:

# ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n
Server-Cert -r
New tracking request "CAServerCert" added.

But ipa-getcert list now tells me:

Request ID 'CAServerCert':
        status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
        stuck: yes
        key pair storage: type=NSSDB,location='/var/lib/pki-
ca/alias',nickname='Server-Cert'
        certificate: 
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-
Cert'
        CA: IPA
        issuer:
        subject:
        expires: unknown
        track: yes
        auto-renew: yes

Okie dokie...where might I be able to find the PIN for the cert?  I see that
the certs for httpd and slapd have a path to a pinfile, but I can't find
anything like that for the CA cert.  I'm quite stuck. This expired cert, I'm
pretty sure, is what is preventing me from using this machine to migrate to a
new 3.0 machine (via replication).

Any ideas how to get the CA cert renewed?

I know how to generate a CSR and a cert, but I'm not sure 1) how I would add
it into the cert DB, and 2) how I can add it without invalidating all my other
certs.

certmonger in F-17 doesn't know how to renew the CA-related certificates. We fixed this in the IPA 3.1 timeframe. I'm not sure if the certmonger requires dogtag 10 for this feature or not, but it may. You'll want to upgrade to 3.1+ if you can.

So if it is just the tomcat cert that is expired, then for simplicity I'd set the time back on both systems (you'll need to kill ntp) to when the cert is valid and try that. I have the feeling you've already done this, but it is unclear what exactly you've tried.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to