Jeff Goddard wrote:
> I've followed the instructions related to my error here:
> http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> haven't found a solution.

Look at these instructions
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal

Look only at the ipaCert part, particularly the ou=people part and the
description attribute.

rob

> 
> Jeff
> 
> On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgodd...@emerlyn.com
> <mailto:jgodd...@emerlyn.com>> wrote:
> 
>     Alan,
> 
>     Thank you so VERY much. That resolved the issue for the CA signing
>     certificate. However I'm still seeing
> 
>             ca-error: Server at
>     
> "https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess
>     
> <https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess>"
>     replied: 1: Invalid Credential.
> 
>     On multiple requests which have expiration dates in the past. Is
>     there something else I need to do?
> 
>     Jeff
> 
>     On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheve...@redhat.com
>     <mailto:aheve...@redhat.com>> wrote:
> 
>         Looks like you need to get the PIN associated to the cert.|
> 
>          # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> 
>         Then replace <pin> with the PIN in the command above.
>          
>          # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
>         'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
> 
>         On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
>         <jgodd...@emerlyn.com <mailto:jgodd...@emerlyn.com>> wrote:
> 
>             I think my problem is deeper than that. I was following this
>             
> guide:http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers
>             
> <http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers>
>             and executed the commands related to having an external CA -
>             which we do not have. I now get this message for the CA:
> 
>             Request ID '20170101055025':
>                     status: NEED_KEY_GEN_PIN
>                     stuck: yes
>                     key pair storage:
>             
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>             cert-pki-ca',pin set
>                     certificate:
>             
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>             cert-pki-ca'
>                     CA: dogtag-ipa-ca-renew-agent
>                     issuer:
>                     subject:
>                     expires: unknown
>                     pre-save command:
>                     post-save command:
>                     track: yes
>                     auto-renew: yes
> 
>             Is there any way I can recover?
> 
>             Jeff
> 
>             On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
>             <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
> 
>                 Jeff Goddard wrote:
>                 > I've done this.
>                 > [root@id-management-1 ipa]# date
>                 > Sun Jan  1 01:12:27 EST 2017
>                 >
>                 >  getcert list give me this as the first entry:
>                 >
>                 > Request ID '20150116162120':
>                 >         status: CA_UNREACHABLE
>                 >         ca-error: Server at
>                 > https://id-management-1.internal.emerlyn.com/ipa/xml
>                 <https://id-management-1.internal.emerlyn.com/ipa/xml>
>                 failed request,
>                 > will retry: 4001 (RPC failed at server.  ipa:
>                 Certificate Authority not
>                 > found).
>                 >         stuck: no
>                 >         key pair storage:
>                 >
>                 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>                 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>                 >         certificate:
>                 >
>                 
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>                 > Certificate DB'
>                 >         CA: IPA
>                 >         issuer: CN=Certificate
>                 Authority,O=INTERNAL.EMERLYN.COM
>                 <http://INTERNAL.EMERLYN.COM>
>                 > <http://INTERNAL.EMERLYN.COM>
>                 >         subject:
>                 CN=id-management-1.internal.emerlyn.com
>                 <http://id-management-1.internal.emerlyn.com>
>                 > <http://id-management-1.internal.emerlyn.com
>                 
> <http://id-management-1.internal.emerlyn.com>>,O=INTERNAL.EMERLYN.COM
>                 <http://INTERNAL.EMERLYN.COM>
>                 > <http://INTERNAL.EMERLYN.COM>
>                 >         expires: 2017-01-16 16:21:20 UTC
>                 >         key usage:
>                 >
>                 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>                 >         eku: id-kp-serverAuth,id-kp-clientAuth
>                 >         pre-save command:
>                 >         post-save command:
>                 /usr/lib64/ipa/certmonger/restart_httpd
>                 >         track: yes
>                 >         auto-renew: yes
>                 >
>                 > Restarting cermonger multiple times doesn't help.
> 
>                 Sorry, I missed a step. When you go back in time you
>                 first need to
>                 restart IPA. The CA isn't up.
> 
>                 rob
> 
>                 >
>                 > Jeff
>                 >
>                 >
>                 >
>                 >
>                 > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden
>                 <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
>                 > <mailto:rcrit...@redhat.com
>                 <mailto:rcrit...@redhat.com>>> wrote:
>                 >
>                 >     Jeff Goddard wrote:
>                 >     > Flo,
>                 >     >
>                 >     > I'm not able to access the link you posted. I
>                 did find this thread
>                 >     > though
>                 >     >
>                 >   
>                  
> https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
>                 
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>
>                 
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
>                 
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>>
>                 >     >
>                 >   
>                  
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
>                 
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>
>                 >   
>                  
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html
>                 
> <https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html>>>
>                 >     > and have set the time back and resubmitted a
>                 request. Still no
>                 >     success.
>                 >     > Any further hints?
>                 >
>                 >     You need to stop ntpd, go back in time to when the
>                 certs are valid and
>                 >     restart the certmonger service.
>                 >
>                 >     Then use getcert list to monitor things. You
>                 really only care about the
>                 >     CA subsystem certs are this point.
>                 >
>                 >     You may need to restart certmonger more than once
>                 to get all the certs
>                 >     updated (you can manually call getcert resubmit -i
>                 <id> if you'd
>                 >     prefer).
>                 >
>                 >     Once that is done return to present day, restart
>                 ntpd then ipactl
>                 >     restart.
>                 >
>                 >     rob
>                 >
>                 >
>                 >
>                 >
>                 > --
>                 >
> 
> 
> 
> 
>             -- 
> 
> 
> 
>             --
>             Manage your subscription for the Freeipa-users mailing list:
>             https://www.redhat.com/mailman/listinfo/freeipa-users
>             <https://www.redhat.com/mailman/listinfo/freeipa-users>
>             Go to http://freeipa.org for more info on the project
> 
> 
> 
> 
>         -- 
>         Alan Heverley
> 
> 
> 
> 
>     -- 
> 
> 
> 
> 
> -- 
> Jeff Goddard
> 
> 

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to