Lewis, Adam M CIV NSWCDD, H11 wrote:
We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA
RA certs expired as of 7/23/16. I found and followed the instructions to the
however the CA Subsystem and IPA RA certs will not renew. I've backdated the
server to make sure the system was within the renewal window, but that has not
Those are the wrong instructions.
You want this instead, https://access.redhat.com/solutions/643753
A bunch of it is for 2.2 but it isn't exactly noted which parts. A
general rule is that you don't/shouldn't need to directly tweak the
dogtag configuration or do any of the start-tracking work (though you
may want to verify that what/if anything you changed from that wrong doc).
When I run getcert list it reports:
Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1:
for both the IPA RA and CA Subsystem certs
The debug log shows:
RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.
The place to start is to get the serial # of the ipaCert:
# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
Now get the user from the dogtag LDAP server:
# ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b
The format is 2;<serial number>;<issuer subject>;<subject>
See if the serial # matches ipaCert. I'm guessing it won't. Follow the
instructions on the page I cited to update the entry with the current
certificate and serial # values. That should get you going.
We are kind of in deep doo-doo until this gets resolved.
We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
Adam M. Lewis
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project