I've followed the instructions related to my error here: http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still haven't found a solution.
Jeff On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgodd...@emerlyn.com> wrote: > Alan, > > Thank you so VERY much. That resolved the issue for the CA signing > certificate. However I'm still seeing > > ca-error: Server at "https://id-management-1. > internal.emerlyn.com:8443/ca/agent/ca/profileProcess" replied: 1: Invalid > Credential. > > On multiple requests which have expiration dates in the past. Is there > something else I need to do? > > Jeff > > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheve...@redhat.com> wrote: > >> Looks like you need to get the PIN associated to the cert. >> >> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf >> >> Then replace <pin> with the PIN in the command above. >> >> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert >> cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent >> >> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <jgodd...@emerlyn.com> >> wrote: >> >>> I think my problem is deeper than that. I was following this guide: >>> http://www.freeipa.org/page/Howto/CA_Certificate_Renew >>> al#Renew_CA_Certificate_on_CA_Servers and executed the commands related >>> to having an external CA - which we do not have. I now get this message for >>> the CA: >>> >>> Request ID '20170101055025': >>> status: NEED_KEY_GEN_PIN >>> stuck: yes >>> key pair storage: type=NSSDB,location='/etc/pki/ >>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',pin set >>> certificate: type=NSSDB,location='/etc/pki/ >>> pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: >>> subject: >>> expires: unknown >>> pre-save command: >>> post-save command: >>> track: yes >>> auto-renew: yes >>> >>> Is there any way I can recover? >>> >>> Jeff >>> >>> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <rcrit...@redhat.com> >>> wrote: >>> >>>> Jeff Goddard wrote: >>>> > I've done this. >>>> > [root@id-management-1 ipa]# date >>>> > Sun Jan 1 01:12:27 EST 2017 >>>> > >>>> > getcert list give me this as the first entry: >>>> > >>>> > Request ID '20150116162120': >>>> > status: CA_UNREACHABLE >>>> > ca-error: Server at >>>> > https://id-management-1.internal.emerlyn.com/ipa/xml failed request, >>>> > will retry: 4001 (RPC failed at server. ipa: Certificate Authority >>>> not >>>> > found). >>>> > stuck: no >>>> > key pair storage: >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>> > certificate: >>>> > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert >>>> ',token='NSS >>>> > Certificate DB' >>>> > CA: IPA >>>> > issuer: CN=Certificate Authority,O=INTERNAL.EMERLYN.COM >>>> > <http://INTERNAL.EMERLYN.COM> >>>> > subject: CN=id-management-1.internal.emerlyn.com >>>> > <http://id-management-1.internal.emerlyn.com>,O=INTERNAL.EMERLYN.COM >>>> > <http://INTERNAL.EMERLYN.COM> >>>> > expires: 2017-01-16 16:21:20 UTC >>>> > key usage: >>>> > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> > eku: id-kp-serverAuth,id-kp-clientAuth >>>> > pre-save command: >>>> > post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>> > track: yes >>>> > auto-renew: yes >>>> > >>>> > Restarting cermonger multiple times doesn't help. >>>> >>>> Sorry, I missed a step. When you go back in time you first need to >>>> restart IPA. The CA isn't up. >>>> >>>> rob >>>> >>>> > >>>> > Jeff >>>> > >>>> > >>>> > >>>> > >>>> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <rcrit...@redhat.com >>>> > <mailto:rcrit...@redhat.com>> wrote: >>>> > >>>> > Jeff Goddard wrote: >>>> > > Flo, >>>> > > >>>> > > I'm not able to access the link you posted. I did find this >>>> thread >>>> > > though >>>> > > >>>> > https://www.redhat.com/archives/freeipa-users/2015-June/msg >>>> 00144.html <https://www.redhat.com/archives/freeipa-users/2015-June/msg >>>> 00144.html> >>>> > > >>>> > <https://www.redhat.com/archives/freeipa-users/2015-June/ms >>>> g00144.html >>>> > <https://www.redhat.com/archives/freeipa-users/2015-June/ms >>>> g00144.html>> >>>> > > and have set the time back and resubmitted a request. Still no >>>> > success. >>>> > > Any further hints? >>>> > >>>> > You need to stop ntpd, go back in time to when the certs are >>>> valid and >>>> > restart the certmonger service. >>>> > >>>> > Then use getcert list to monitor things. You really only care >>>> about the >>>> > CA subsystem certs are this point. >>>> > >>>> > You may need to restart certmonger more than once to get all the >>>> certs >>>> > updated (you can manually call getcert resubmit -i <id> if you'd >>>> > prefer). >>>> > >>>> > Once that is done return to present day, restart ntpd then ipactl >>>> > restart. >>>> > >>>> > rob >>>> > >>>> > >>>> > >>>> > >>>> > -- >>>> > >>>> >>>> >>> >>> >>> -- >>> >>> >>> >>> -- >>> Manage your subscription for the Freeipa-users mailing list: >>> https://www.redhat.com/mailman/listinfo/freeipa-users >>> Go to http://freeipa.org for more info on the project >>> >> >> >> >> -- >> Alan Heverley >> > > > > -- > > -- Jeff Goddard
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project