Lewis, Adam M CIV NSWCDD, H11 wrote:
We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and IPA 
RA certs expired as of 7/23/16. I found and followed the instructions to the 
 however the CA Subsystem and IPA RA certs will not renew. I've backdated the 
server to make sure the system was within the renewal window, but that has not 

Those are the wrong instructions.

You want this instead, https://access.redhat.com/solutions/643753

A bunch of it is for 2.2 but it isn't exactly noted which parts. A general rule is that you don't/shouldn't need to directly tweak the dogtag configuration or do any of the start-tracking work (though you may want to verify that what/if anything you changed from that wrong doc).

When I run getcert list it reports:
Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" replied: 1: 
Authentication Error
for both the IPA RA and CA Subsystem certs

The debug log shows:
SignedAuditEventFactory: create() 
 RA,O=MISS.ION] authentication failure
ReviewReqServlet: Invalid Credential.

The place to start is to get the serial # of the ipaCert:

# certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial

Now get the user from the dogtag LDAP server:

# ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b uid=ipara,ou=People,o=ipaca description

The format is 2;<serial number>;<issuer subject>;<subject>

See if the serial # matches ipaCert. I'm guessing it won't. Follow the instructions on the page I cited to update the entry with the current certificate and serial # values. That should get you going.


We are kind of in deep doo-doo until this gets resolved.

We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5

Any thoughts?


Adam M. Lewis

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to