Federico Nebiolo wrote:
Dear IPA users,

My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
suddenly stopped working for the CA part.
I'm not sure this is the root of all the issues, but subsystem
certificates was expired and not renewed: getcert list gives a similar
output for all of them, and I don't know how to proceed.

[]# getcert list -c dogtag-ipa-renew-agent

Request ID '20130902075915':
        status: MONITORING
        ca-error: No end-entity URL (-E) given, and no default known.
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=XXXX
        subject: CN=RA Subsystem,O=XXXX
        expires: 2013-10-11 07:44:12 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes

Do you have any hints on how to solve?

Try adding a host=<fqdn> to the [global] section in /etc/ipa/default.conf where host is the fqdn of your IPA master.

I think you'll need to temporarily go back in time to the 11th for the renewal to succeed.

You can force certmonger to try the renewal again with:

# getcert resubmit -i 20130902075915

You'll want to do this for all certs affected by this.

If this works please let us know and we'll make sure that host exists in default.conf when upgrades happen.

rob

_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Reply via email to