Hi @Fraser, tried the commands and certificates matched in both cases.
@everyone I tried to look a little bit in the code, and the only references I saw are in https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit (4 references) And the only one that could fit is this one: https://github.com/freeipa/freeipa/blob/master/install/certmonger/dogtag-ipa-ca-renew-agent-submit#L142 as our cookie seems to be empty (ca-error: Invalid cookie: '') and this is the only condition of the 4 that does only test for « None », the other 3 are testing for None, empty strings, … and it should be false. meaning that somehow the cookie is set somewhere but with no value? Anyway, do you think it can impact our setup? Instead of trying to resolve the issue, we could also delete this replica and replicate a new one instead? What do you think? Yohan Doing the following up for Christophe. On 05 Jan 2017, at 07:33, Fraser Tweedale <ftwee...@redhat.com<mailto:ftwee...@redhat.com>> wrote: On Wed, Jan 04, 2017 at 01:19:19PM +0000, Christophe TREFOIS wrote: Hi Florence, I did what you said, and then the status went to CA_WORKING. Then I restart ipa and certmonger and the status went to CA_UNREACHABLE. Then i did “resubmit” again and now the status is back to MONITORING, but the cookie error is back. Any advice? I have encountered the cookie error before. IIRC it was caused by authn certs in Dogtag user entries not matching the client certs used. Check the following entries: 1. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \ -b uid=pkidbuser,ou=people,o=ipaca userCertificate`` should match ``certutil -d /etc/pki/pki-tomcat/alias -L -n "subsystemCert cert-pki-ca"`` 2. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \ -b uid=ipara,ou=people,o=ipaca userCertificate`` should match ``certutil -d /etc/httpd/alias -L -n "ipaCert"`` If either of these do not match, update LDAP with what is in the certificate databases (a.k.a. NSSDBs). Ensure all certs are non-expired, etc. HTH, Fraser [root@lums3 ~]# getcert list -n ipaCert Number of certificates and requests being tracked: 8. Request ID '20161216025136': status: MONITORING ca-error: Invalid cookie: '' stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=UNI.LU subject: CN=IPA RA,O=UNI.LU expires: 2018-12-16 03:13:48 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes -- Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc UNIVERSITÉ DU LUXEMBOURG LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb <http://www.uni.lu/lcsb> <https://www.facebook.com/trefex> <https://twitter.com/Trefex> <https://plus.google.com/+ChristopheTrefois/> <https://www.linkedin.com/in/trefoischristophe> <http://skype:Trefex?call<http://skype:trefex?call>> ---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ---- On 4 Jan 2017, at 13:49, Florence Blanc-Renaud <f...@redhat.com<mailto:f...@redhat.com>> wrote: getcert resubmit -i <id for ipaCert>
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project