What I want to do is a bit borderline :-) The scenario is:
FreeIPA 3.0.0 (external-ca) with all certificates expired (also Root CA) Certmonger can't proceed to automatically renew the certificates. We can't release a certificate valid in the past (so we can't set the date in the past) What i did: I proceed to replace all certificate in the various nss db, included the re-sign of the certificate, where is needed. It partial works, the FreeIPA instance return up, but non completely. That is the issue: [root@ipa config]# ipa cert-show Serial number: 1 ipa: ERROR: Certificate operation cannot be completed: Unable to communicate with CMS (Not Found) [root@ipa config]#getcert list [...] Request ID '20131115101732': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DBMSRL.COM subject: CN=ipa.intra.dbmsrl.com,O=INTRA.DBMSRL.COM expires: 2014-03-19 11:01:14 UTC pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20131115101901': status: NEED_CSR ca-error: Error setting up ccache for local "host" service using default keytab: Cannot contact any KDC for realm 'INTRA.DBMSRL.COM'. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=INTRA.DBMSRL.COM subject: CN=ipa.intra.dbmsrl.com,O=INTRA.DBMSRL.COM expires: 2013-12-14 15:27:08 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes And in the pki-ca log i found this exception: Failed to create jss service: java.lang.SecurityException: Unable to initialize security library at com.netscape.cmscore.security.JssSubsystem.init(JssSubsystem.java:272) at com.netscape.cmscore.apps.CMSEngine.initSubsystem(CMSEngine.java:866) at com.netscape.cmscore.apps.CMSEngine.initSubsystems(CMSEngine.java:795) at com.netscape.cmscore.apps.CMSEngine.init(CMSEngine.java:306) at com.netscape.certsrv.apps.CMS.init(CMS.java:153) at com.netscape.certsrv.apps.CMS.start(CMS.java:1530) at com.netscape.cms.servlet.base.CMSStartServlet.init(CMSStartServlet.java:85) at org.apache.catalina.core.StandardWrapper.loadServlet(StandardWrapper.java:1173) at org.apache.catalina.core.StandardWrapper.load(StandardWrapper.java:993) at org.apache.catalina.core.StandardContext.loadOnStartup(StandardContext.java:4187) at org.apache.catalina.core.StandardContext.start(StandardContext.java:4496) at org.apache.catalina.core.ContainerBase.addChildInternal(ContainerBase.java:791) at org.apache.catalina.core.ContainerBase.addChild(ContainerBase.java:771) at org.apache.catalina.core.StandardHost.addChild(StandardHost.java:526) at org.apache.catalina.startup.HostConfig.deployDirectory(HostConfig.java:1041) at org.apache.catalina.startup.HostConfig.deployDirectories(HostConfig.java:964) at org.apache.catalina.startup.HostConfig.deployApps(HostConfig.java:502) at org.apache.catalina.startup.HostConfig.start(HostConfig.java:1277) at org.apache.catalina.startup.HostConfig.lifecycleEvent(HostConfig.java:321) at org.apache.catalina.util.LifecycleSupport.fireLifecycleEvent(LifecycleSupport.java:119) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1053) at org.apache.catalina.core.StandardHost.start(StandardHost.java:722) at org.apache.catalina.core.ContainerBase.start(ContainerBase.java:1045) at org.apache.catalina.core.StandardEngine.start(StandardEngine.java:443) at org.apache.catalina.core.StandardService.start(StandardService.java:516) at org.apache.catalina.core.StandardServer.start(StandardServer.java:710) at org.apache.catalina.startup.Catalina.start(Catalina.java:593) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:57) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:622) at org.apache.catalina.startup.Bootstrap.start(Bootstrap.java:289) at org.apache.catalina.startup.Bootstrap.main(Bootstrap.java:414) I have no idea what is missing, can someone help me? Thank you Andrea Bontempi _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users