Rob, I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d /var/lib/pki-ca/alias -t u,u,Pu certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.
Jeff On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden <[email protected]> wrote: > Jeff Goddard wrote: > > I've followed the instructions related to my error here: > > http://www.freeipa.org/page/Troubleshooting#PKI_Issues but I still > > haven't found a solution. > > Look at these instructions > http://www.freeipa.org/page/IPA_2x_Certificate_Renewal > > Look only at the ipaCert part, particularly the ou=people part and the > description attribute. > > rob > > > > > Jeff > > > > On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <[email protected] > > <mailto:[email protected]>> wrote: > > > > Alan, > > > > Thank you so VERY much. That resolved the issue for the CA signing > > certificate. However I'm still seeing > > > > ca-error: Server at > > "https://id-management-1.internal.emerlyn.com:8443/ca/ > agent/ca/profileProcess > > <https://id-management-1.internal.emerlyn.com:8443/ca/ > agent/ca/profileProcess>" > > replied: 1: Invalid Credential. > > > > On multiple requests which have expiration dates in the past. Is > > there something else I need to do? > > > > Jeff > > > > On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <[email protected] > > <mailto:[email protected]>> wrote: > > > > Looks like you need to get the PIN associated to the cert.| > > > > # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.conf | > > > > Then replace <pin> with the PIN in the command above. > > > > # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n > > 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent > > > > On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard > > <[email protected] <mailto:[email protected]>> wrote: > > > > I think my problem is deeper than that. I was following this > > guide:http://www.freeipa.org/page/Howto/CA_Certificate_ > Renewal#Renew_CA_Certificate_on_CA_Servers > > <http://www.freeipa.org/page/Howto/CA_Certificate_Renewal# > Renew_CA_Certificate_on_CA_Servers> > > and executed the commands related to having an external CA - > > which we do not have. I now get this message for the CA: > > > > Request ID '20170101055025': > > status: NEED_KEY_GEN_PIN > > stuck: yes > > key pair storage: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > cert-pki-ca',pin set > > certificate: > > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname=' > caSigningCert > > cert-pki-ca' > > CA: dogtag-ipa-ca-renew-agent > > issuer: > > subject: > > expires: unknown > > pre-save command: > > post-save command: > > track: yes > > auto-renew: yes > > > > Is there any way I can recover? > > > > Jeff > > > > On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden > > <[email protected] <mailto:[email protected]>> wrote: > > > > Jeff Goddard wrote: > > > I've done this. > > > [root@id-management-1 ipa]# date > > > Sun Jan 1 01:12:27 EST 2017 > > > > > > getcert list give me this as the first entry: > > > > > > Request ID '20150116162120': > > > status: CA_UNREACHABLE > > > ca-error: Server at > > > https://id-management-1.internal.emerlyn.com/ipa/xml > > <https://id-management-1.internal.emerlyn.com/ipa/xml> > > failed request, > > > will retry: 4001 (RPC failed at server. ipa: > > Certificate Authority not > > > found). > > > stuck: no > > > key pair storage: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > > > certificate: > > > > > type=NSSDB,location='/etc/httpd/alias',nickname='Server- > Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate > > Authority,O=INTERNAL.EMERLYN.COM > > <http://INTERNAL.EMERLYN.COM> > > > <http://INTERNAL.EMERLYN.COM> > > > subject: > > CN=id-management-1.internal.emerlyn.com > > <http://id-management-1.internal.emerlyn.com> > > > <http://id-management-1.internal.emerlyn.com > > <http://id-management-1.internal.emerlyn.com>>,O=INTER > NAL.EMERLYN.COM > > <http://INTERNAL.EMERLYN.COM> > > > <http://INTERNAL.EMERLYN.COM> > > > expires: 2017-01-16 16:21:20 UTC > > > key usage: > > > > > digitalSignature,nonRepudiation,keyEncipherment, > dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > > /usr/lib64/ipa/certmonger/restart_httpd > > > track: yes > > > auto-renew: yes > > > > > > Restarting cermonger multiple times doesn't help. > > > > Sorry, I missed a step. When you go back in time you > > first need to > > restart IPA. The CA isn't up. > > > > rob > > > > > > > > Jeff > > > > > > > > > > > > > > > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] > > <mailto:[email protected]>>> wrote: > > > > > > Jeff Goddard wrote: > > > > Flo, > > > > > > > > I'm not able to access the link you posted. I > > did find this thread > > > > though > > > > > > > > > https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html> > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html>> > > > > > > > > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html> > > > > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html > > <https://www.redhat.com/archives/freeipa-users/2015- > June/msg00144.html>>> > > > > and have set the time back and resubmitted a > > request. Still no > > > success. > > > > Any further hints? > > > > > > You need to stop ntpd, go back in time to when the > > certs are valid and > > > restart the certmonger service. > > > > > > Then use getcert list to monitor things. You > > really only care about the > > > CA subsystem certs are this point. > > > > > > You may need to restart certmonger more than once > > to get all the certs > > > updated (you can manually call getcert resubmit -i > > <id> if you'd > > > prefer). > > > > > > Once that is done return to present day, restart > > ntpd then ipactl > > > restart. > > > > > > rob > > > > > > > > > > > > > > > -- > > > > > > > > > > > > > -- > > > > > > > > -- > > Manage your subscription for the Freeipa-users mailing list: > > https://www.redhat.com/mailman/listinfo/freeipa-users > > <https://www.redhat.com/mailman/listinfo/freeipa-users> > > Go to http://freeipa.org for more info on the project > > > > > > > > > > -- > > Alan Heverley > > > > > > > > > > -- > > > > > > > > > > -- > > Jeff Goddard > > > > > > --
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
