Hi all,

I have inherited a IPA system that has an expired cert and the old admins
have left; I followed (
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal) but running into
errors when I try to renew the CA certs even after time is reset.  Also
tried the troubleshooting under (
http://www.freeipa.org/page/Troubleshooting#Authentication_Errors);
specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a >
/tmp/ra.crt" to add the cert in the database.

>From the output of getcert list, I see both CA_UNREACHABLE and
NEED_CSR_GEN_PIN.  I followed redhat article here (
https://access.redhat.com/solutions/1142913) which verified key file
password is correct and I have reset time.  However the NEED_CSR_GEN_PIN
status remains.  My company actually has redhat support but when they built
this IPA whoever built it was using Centos 6 so I am out of luck here.

Would really appreciate any help since I am stuck at this point?  What else
I can do at this point?  e.g. Is generate a new CA cert necessary, etc.?

Version:
ipa-pki-ca-theme.noarch
9.0.3-7.el6                        @base
ipa-pki-common-theme.noarch          9.0.3-7.el6
@base
ipa-pmincho-fonts.noarch             003.02-3.1.el6
@base
ipa-python.x86_64                    3.0.0-47.el6.centos.2
@updates
ipa-server.x86_64                    3.0.0-47.el6.centos.2
@updates
ipa-server-selinux.x86_64            3.0.0-47.el6.centos.2
@updates

Part of error logs from /var/log/pki-ca/debug after I reset clock; I see
these errors which I think is relevlant?:
[27/Dec/2015:14:12:01][main]: SigningUnit init: debug
org.mozilla.jss.crypto.ObjectNotFoundException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException
Certificate object not found
[27/Dec/2015:14:12:01][main]: CMSEngine.shutdown()

Result seems to show key file password is correct:
certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f
/etc/dirsrv/slapd-REALM-NET/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa      ############################   NSS Certificate DB:Server-Cert


certutil -L -d /var/lib/pki-ca/alias

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u
Server-Cert cert-pki-ca                                         u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
caSigningCert cert-pki-ca                                    CTu,Cu,Cu


certutil -L -d /etc/httpd/alias

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert                                                      u,u,u
ipaCert                                                             u,u,u
REALM.COM IPA CA                                      CT,C,


certutil -L -d /etc/dirsrv/slapd-REALM-COM

Certificate Nickname                                         Trust
Attributes

SSL,S/MIME,JAR/XPI

Server-Cert                                                          u,u,u
REALM.COM IPA CA                                          CT,C,C


Output of getcert list:

Number of certificates and requests being tracked: 7.
Request ID '21135214223243':
        status: CA_UNREACHABLE
        ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfil
e='/etc/dirsrv/slapd-example-NET//pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=host.example.net,O=example.NET
        expires: 2016-03-29 14:09:46 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '21135214223300':
        status: CA_UNREACHABLE
        ca-error: Server at https://host.example.net/ipa/xml failed
request, will retry: 4301 (RPC failed at server.  Certificate oper
ation cannot be completed: Unable to communicate with CMS (Not Found)).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='
/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=host.example.net,O=example.NET
        expires: 2016-03-29 14:09:45 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20130519130741':
        status: NEED_CSR_GEN_PIN
        ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-
pki-ca&serial_num=61&renewal=true&xml=true".
        stuck: yes
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=CA Audit,O=example.NET
        expires: 2017-10-13 14:10:49 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20130519130742':
        status: NEED_CSR_GEN_PIN
        ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=60&renewal=true&xml=true".
        stuck: yes
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate D
B',pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=OCSP Subsystem,O=example.NET
        expires: 2017-10-13 14:09:49 UTC
        eku: id-kp-OCSPSigning
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20130519130743':
        status: NEED_CSR_GEN_PIN
        ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=62&renewal=true&xml=true".
        stuck: yes
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
,pin set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=CA Subsystem,O=example.NET
        expires: 2017-10-13 14:09:49 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20130519130744':
        status: MONITORING
        ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=64&renewal=true&xml=true".
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/al
ias/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=RA Subsystem,O=example.NET
        expires: 2017-10-13 14:09:49 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20130519130745':
        status: NEED_CSR_GEN_PIN
        ca-error: Internal error: no response to "
http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu
m=63&renewal=true&xml=true".
        stuck: yes
        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',p
in set
        certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-renew-agent
        issuer: CN=Certificate Authority,O=example.NET
        subject: CN=host.example.net,O=example.NET
        expires: 2017-10-13 14:09:49 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes


Regards, Adam
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to