Rob,

I'm missing something in either the syntax of execution. I'm getting this
error:

ldap_modify: Invalid DN syntax (34)
        additional info: invalid dn

Just as a reminder the version of ipa I'm on is 4.4.

Jeff

On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden <rcrit...@redhat.com> wrote:

> Jeff Goddard wrote:
> > I've followed the instructions related to my error here:
> > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still
> > haven't found a solution.
>
> Look at these instructions
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>
> Look only at the ipaCert part, particularly the ou=people part and the
> description attribute.
>
> rob
>
> >
> > Jeff
> >
> > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <jgodd...@emerlyn.com
> > <mailto:jgodd...@emerlyn.com>> wrote:
> >
> >     Alan,
> >
> >     Thank you so VERY much. That resolved the issue for the CA signing
> >     certificate. However I'm still seeing
> >
> >             ca-error: Server at
> >     "https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess
> >     <https://id-management-1.internal.emerlyn.com:8443/ca/
> agent/ca/profileProcess>"
> >     replied: 1: Invalid Credential.
> >
> >     On multiple requests which have expiration dates in the past. Is
> >     there something else I need to do?
> >
> >     Jeff
> >
> >     On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <aheve...@redhat.com
> >     <mailto:aheve...@redhat.com>> wrote:
> >
> >         Looks like you need to get the PIN associated to the cert.|
> >
> >          # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf |
> >
> >         Then replace <pin> with the PIN in the command above.
> >
> >          # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
> >         'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent
> >
> >         On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard
> >         <jgodd...@emerlyn.com <mailto:jgodd...@emerlyn.com>> wrote:
> >
> >             I think my problem is deeper than that. I was following this
> >             guide:http://www.freeipa.org/page/Howto/CA_Certificate_
> Renewal#Renew_CA_Certificate_on_CA_Servers
> >             <http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#
> Renew_CA_Certificate_on_CA_Servers>
> >             and executed the commands related to having an external CA -
> >             which we do not have. I now get this message for the CA:
> >
> >             Request ID '20170101055025':
> >                     status: NEED_KEY_GEN_PIN
> >                     stuck: yes
> >                     key pair storage:
> >             type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> >             cert-pki-ca',pin set
> >                     certificate:
> >             type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='
> caSigningCert
> >             cert-pki-ca'
> >                     CA: dogtag-ipa-ca-renew-agent
> >                     issuer:
> >                     subject:
> >                     expires: unknown
> >                     pre-save command:
> >                     post-save command:
> >                     track: yes
> >                     auto-renew: yes
> >
> >             Is there any way I can recover?
> >
> >             Jeff
> >
> >             On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden
> >             <rcrit...@redhat.com <mailto:rcrit...@redhat.com>> wrote:
> >
> >                 Jeff Goddard wrote:
> >                 > I've done this.
> >                 > [root@id-management-1 ipa]# date
> >                 > Sun Jan  1 01:12:27 EST 2017
> >                 >
> >                 >  getcert list give me this as the first entry:
> >                 >
> >                 > Request ID '20150116162120':
> >                 >         status: CA_UNREACHABLE
> >                 >         ca-error: Server at
> >                 > https://id-management-1.internal.emerlyn.com/ipa/xml
> >                 <https://id-management-1.internal.emerlyn.com/ipa/xml>
> >                 failed request,
> >                 > will retry: 4001 (RPC failed at server.  ipa:
> >                 Certificate Authority not
> >                 > found).
> >                 >         stuck: no
> >                 >         key pair storage:
> >                 >
> >                 type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> >                 > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >                 >         certificate:
> >                 >
> >                 type=NSSDB,location='/etc/httpd/alias',nickname='Server-
> Cert',token='NSS
> >                 > Certificate DB'
> >                 >         CA: IPA
> >                 >         issuer: CN=Certificate
> >                 Authority,O=INTERNAL.EMERLYN.COM
> >                 <http://INTERNAL.EMERLYN.COM>
> >                 > <http://INTERNAL.EMERLYN.COM>
> >                 >         subject:
> >                 CN=id-management-1.internal.emerlyn.com
> >                 <http://id-management-1.internal.emerlyn.com>
> >                 > <http://id-management-1.internal.emerlyn.com
> >                 <http://id-management-1.internal.emerlyn.com>>,O=INTER
> NAL.EMERLYN.COM
> >                 <http://INTERNAL.EMERLYN.COM>
> >                 > <http://INTERNAL.EMERLYN.COM>
> >                 >         expires: 2017-01-16 16:21:20 UTC
> >                 >         key usage:
> >                 >
> >                 digitalSignature,nonRepudiation,keyEncipherment,
> dataEncipherment
> >                 >         eku: id-kp-serverAuth,id-kp-clientAuth
> >                 >         pre-save command:
> >                 >         post-save command:
> >                 /usr/lib64/ipa/certmonger/restart_httpd
> >                 >         track: yes
> >                 >         auto-renew: yes
> >                 >
> >                 > Restarting cermonger multiple times doesn't help.
> >
> >                 Sorry, I missed a step. When you go back in time you
> >                 first need to
> >                 restart IPA. The CA isn't up.
> >
> >                 rob
> >
> >                 >
> >                 > Jeff
> >                 >
> >                 >
> >                 >
> >                 >
> >                 > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden
> >                 <rcrit...@redhat.com <mailto:rcrit...@redhat.com>
> >                 > <mailto:rcrit...@redhat.com
> >                 <mailto:rcrit...@redhat.com>>> wrote:
> >                 >
> >                 >     Jeff Goddard wrote:
> >                 >     > Flo,
> >                 >     >
> >                 >     > I'm not able to access the link you posted. I
> >                 did find this thread
> >                 >     > though
> >                 >     >
> >                 >
> >                  https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> >                 <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>
> >                 <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> >                 <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>>
> >                 >     >
> >                 >
> >                  <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> >                 <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>
> >                 >
> >                  <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html
> >                 <https://www.redhat.com/archives/freeipa-users/2015-
> June/msg00144.html>>>
> >                 >     > and have set the time back and resubmitted a
> >                 request. Still no
> >                 >     success.
> >                 >     > Any further hints?
> >                 >
> >                 >     You need to stop ntpd, go back in time to when the
> >                 certs are valid and
> >                 >     restart the certmonger service.
> >                 >
> >                 >     Then use getcert list to monitor things. You
> >                 really only care about the
> >                 >     CA subsystem certs are this point.
> >                 >
> >                 >     You may need to restart certmonger more than once
> >                 to get all the certs
> >                 >     updated (you can manually call getcert resubmit -i
> >                 <id> if you'd
> >                 >     prefer).
> >                 >
> >                 >     Once that is done return to present day, restart
> >                 ntpd then ipactl
> >                 >     restart.
> >                 >
> >                 >     rob
> >                 >
> >                 >
> >                 >
> >                 >
> >                 > --
> >                 >
> >
> >
> >
> >
> >             --
> >
> >
> >
> >             --
> >             Manage your subscription for the Freeipa-users mailing list:
> >             https://www.redhat.com/mailman/listinfo/freeipa-users
> >             <https://www.redhat.com/mailman/listinfo/freeipa-users>
> >             Go to http://freeipa.org for more info on the project
> >
> >
> >
> >
> >         --
> >         Alan Heverley
> >
> >
> >
> >
> >     --
> >
> >
> >
> >
> > --
> > Jeff Goddard
> >
> >
>
>


--
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to