On 5/19/2015 3:54 AM, Thibaut Pouzet wrote:
Hi,

It appeared that the NSS DB had fips enabled due to the troubleshooting
of an old problem :

# modutil -dbdir /var/lib/pki-ca/alias/ -list

Listing of PKCS #11 Modules
-----------------------------------------------------------
   1. NSS Internal FIPS PKCS #11 Module
          slots: 1 slot attached
         status: loaded

          slot: NSS FIPS 140-2 User Private Key Services
         token: NSS FIPS 140-2 Certificate DB
-----------------------------------------------------------

I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false

And no longer have the stack trace in the debug logs while re-sumbitting
the certificate with certmonger.

This is a first step in this certificate renewal, as I still cannot
renew it, I have a new error :
         status: CA_UNREACHABLE
         ca-error: Error 60 connecting to
https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with known CA certificates.

This looks like a chicken and egg problem, the certificate served on
ipa_server:9443 is the one that needs to be renewed. I tried to step
back in time when the certificate was still valid with no luck.

So if anyone has an idea here...

Cheers,

Hi,

Is this still a problem? Per discussion with Rob it doesn't seem to be an issue with Dogtag itself.

I suppose you are following this instruction:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal

Could you post the full getcert list output? Also after you reset the clock back and try the renewal again could you post the error messages that you get?

Hopefully the IPA team will be able to troubleshoot further. Thanks.

--
Endi S. Dewata

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to