On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
Hello,
I had an issue with pki-tomcat.
I had serveral certificate that was expired and pki-tomcat did not start
anymore.
I set the dateon the server before certificate expiration and then
pki-tomcat starts properly.
Then I try to resubmit the certificate, but I get below error:
"Profile caServerCert Not Found"
Do you have any idea how I could fix this issue.
Please find below output of commands:
# getcert resubmit -i 20160108170324
# getcert list -i 20160108170324
Number of certificates and requests being tracked: 7.
Request ID '20160108170324':
status: MONITORING
ca-error: Server at
"http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit"; replied:
Profile caServerCert Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=A.SKINFRA.EU
subject: CN=IPA RA,O=A.SKINFRA.EU
expires: 2016-06-28 15:25:11 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Thanksby advance for your help.
Bertrand
Hi Betrand,
what version of FreeIPA and Dogtag are you running?
Also perform the following search on the IPA master and post the result:
"""
ldapsearch -D "cn=Directory Manager" -W -b
'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
"""
--
Martin^3 Babinsky
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
