Hi there, I've been using IPA 4.4.0 and pki-server 10.3.3 and have posting on freeipa mailing list, but unfortunately haven't resolved the problem so I am looking for support on this mailing list.
[1] since certmonger failed to renew certs, I believe resolution is going back in time when all certs are valid and restart certmonger service [2] I went back into time, and verified that pki-server is running, with command: SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://`hostname`:8443/ca/agent/ca/profileReview [3] restart certmonger and getcert list shoes four certs in submitting status # getcert list | egrep "certificate|expire|status" status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:38 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC status: SUBMITTING certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC status: MONITORING certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC [4] Here is where problem starts, the CA stop running, and /var/lib/pki/pki-tomcat/logs/ca/selftests.log report 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SystemCertsVerification: system certs verification failure: Certificate auditSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [10/Aug/2018:02:28:05 PDT] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! [5] I see that 'auditSigningCert' and ocspSigningCert have been renewed, so obviously at this very moment their validity time is not same as for other certs. Hence selftests.logs reports auditSigningCert is invalid, and CA stops running and I am left with tow certs not renewed. New cert list now is: # getcert list | egrep "certificate|expires" certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-29 06:35:38 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2020-10-11 20:15:53 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2018-08-14 20:49:36 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2036-08-24 20:49:35 UTC certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' expires: 2018-08-14 20:50:00 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2020-07-07 01:47:45 UTC The question now is how to work around this problem? Instead of restarting certmonger service, is there way to manually renew cert. thanks, Zarko
_______________________________________________ Pki-users mailing list Pki-users@redhat.com https://www.redhat.com/mailman/listinfo/pki-users
