Looks like you need to get the PIN associated to the cert. # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf
Then replace <pin> with the PIN in the command above. # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <[email protected]> wrote: > I think my problem is deeper than that. I was following this guide: > http://www.freeipa.org/page/Howto/CA_Certificate_ > Renewal#Renew_CA_Certificate_on_CA_Servers and executed the commands > related to having an external CA - which we do not have. I now get this > message for the CA: > > Request ID '20170101055025': > status: NEED_KEY_GEN_PIN > stuck: yes > key pair storage: type=NSSDB,location='/etc/pki/ > pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set > certificate: type=NSSDB,location='/etc/pki/ > pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > expires: unknown > pre-save command: > post-save command: > track: yes > auto-renew: yes > > Is there any way I can recover? > > Jeff > > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <[email protected]> > wrote: > >> Jeff Goddard wrote: >> > I've done this. >> > [root@id-management-1 ipa]# date >> > Sun Jan 1 01:12:27 EST 2017 >> > >> > getcert list give me this as the first entry: >> > >> > Request ID '20150116162120': >> > status: CA_UNREACHABLE >> > ca-error: Server at >> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request, >> > will retry: 4001 (RPC failed at server. ipa: Certificate Authority not >> > found). >> > stuck: no >> > key pair storage: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> > certificate: >> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >> ',token='NSS >> > Certificate DB' >> > CA: IPA >> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >> > <http://INTERNAL.EMERLYN.COM> >> > subject: CN=id-management-1.internal.emerlyn.com >> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM >> > <http://INTERNAL.EMERLYN.COM> >> > expires: 2017-01-16 16:21:20 UTC >> > key usage: >> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> > eku: id-kp-serverAuth,id-kp-clientAuth >> > pre-save command: >> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> > track: yes >> > auto-renew: yes >> > >> > Restarting cermonger multiple times doesn't help. >> >> Sorry, I missed a step. When you go back in time you first need to >> restart IPA. The CA isn't up. >> >> rob >> >> > >> > Jeff >> > >> > >> > >> > >> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Jeff Goddard wrote: >> > > Flo, >> > > >> > > I'm not able to access the link you posted. I did find this thread >> > > though >> > > >> > https://www.redhat.com/archives/freeipa-users/2015-June/ >> msg00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/ >> msg00144.html> >> > > >> > <https://www.redhat.com/archives/freeipa-users/2015-June/ >> msg00144.html >> > <https://www.redhat.com/archives/freeipa-users/2015-June/ >> msg00144.html>> >> > > and have set the time back and resubmitted a request. Still no >> > success. >> > > Any further hints? >> > >> > You need to stop ntpd, go back in time to when the certs are valid >> and >> > restart the certmonger service. >> > >> > Then use getcert list to monitor things. You really only care about >> the >> > CA subsystem certs are this point. >> > >> > You may need to restart certmonger more than once to get all the >> certs >> > updated (you can manually call getcert resubmit -i <id> if you'd >> > prefer). >> > >> > Once that is done return to present day, restart ntpd then ipactl >> > restart. >> > >> > rob >> > >> > >> > >> > >> > -- >> > >> >> > > > -- > > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Alan Heverley
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
