Thanks for pointing me in the right direction. However after following the
instructions in the above mentioned doc I noticed a few things that are odd
and have a new problem. The first odd thing I noticed is that when I run
service pki-cad status it shows that my PKI Subsystem Type is "CA Clone
Shouldn't that say something like "CA Master"?
Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all
produced the same AUTH_FAIL message in the debug log.
Now the new problem...after pressing on and restarting things certmonger
fails to start with a segfault.
Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault
/usr/sbin/certmonger -S -p /var/run certmonger.pid
On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <rcrit...@redhat.com> wrote:
> Lewis, Adam M CIV NSWCDD, H11 wrote:
>> We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and
>> IPA RA certs expired as of 7/23/16. I found and followed the instructions
>> to the letter (
>> however the CA Subsystem and IPA RA certs will not renew. I've backdated
>> the server to make sure the system was within the renewal window, but that
>> has not help.
> Those are the wrong instructions.
> You want this instead, https://access.redhat.com/solutions/643753
> A bunch of it is for 2.2 but it isn't exactly noted which parts. A general
> rule is that you don't/shouldn't need to directly tweak the dogtag
> configuration or do any of the start-tracking work (though you may want to
> verify that what/if anything you changed from that wrong doc).
> When I run getcert list it reports:
>> Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess"
>> replied: 1: Authentication Error
>> for both the IPA RA and CA Subsystem certs
>> The debug log shows:
>> SignedAuditEventFactory: create()
>> RA,O=MISS.ION] authentication failure
>> ReviewReqServlet: Invalid Credential.
> The place to start is to get the serial # of the ipaCert:
> # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial
> Now get the user from the dogtag LDAP server:
> # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b
> uid=ipara,ou=People,o=ipaca description
> The format is 2;<serial number>;<issuer subject>;<subject>
> See if the serial # matches ipaCert. I'm guessing it won't. Follow the
> instructions on the page I cited to update the entry with the current
> certificate and serial # values. That should get you going.
>> We are kind of in deep doo-doo until this gets resolved.
>> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5
>> Any thoughts?
>> Adam M. Lewis
> Manage your subscription for the Freeipa-users mailing list:
> Go to http://freeipa.org for more info on the project
Adam M. Lewis
10807 Allie Place
Fredericksburg, VA 22408
Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project