Hello, we run in a problem with expired certificates:
> getcert list (sample show only one expired certificate) ... Request ID '20170202144747': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=NBG.WEBTREKK.COM subject: CN=IPA RA,O=NBG.WEBTREKK.COM expires: 2017-07-30 13:37:02 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes ... Request ID '20170202144746': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=NBG.WEBTREKK.COM subject: CN=Certificate Authority,O=NBG.WEBTREKK.COM expires: 2035-08-10 13:36:23 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes ... We follow instruction to renew certificates found on this mailing list: * set system time before expired * set dogtag to use simple binds instead of TLS to connect to LDAP * ipactl start --ignore-service-failures * systemctl restart pki-tomcatd@pki-tomcat * systemctl restart certmonger * resubmit one of expired certificate: ipa-getcert resubmit -i 20170202144747 Jul 29 13:27:05 ipa-prod-01.<domain> dogtag-ipa-ca-renew-agent-submit[10651]: Forwarding request to dogtag-ipa-renew-agent Jul 29 13:27:05 ipa-prod-01.<domain> dogtag-ipa-renew-agent-submit[10661]: GET http://ipa-prod-01.<domain>:8080/ ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true Jul 29 13:27:05 ipa-prod-01.<domain> dogtag-ipa-renew-agent-submit[10661]: <html><head><title>Apache Tomcat/7.0.69 - or report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {fo nt-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif; color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi te;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;backgr│ ound:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h 1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><HR size="1" noshade ="noshade"><h3>Apache Tomcat/7.0.69</h3></body></html> Jul 29 13:27:05 ipa-prod-01.<domain> dogtag-ipa-ca-renew-agent-submit[10651]: dogtag-ipa-renew-agent returned 2 In certmonger logs, we can see that the request is forwarded to dogtag-ipa-renew-agent, but agent returned with return code 2, which seemed to be "request rejected". So at this point I have no glue to solve this problem. Any help is desired. > ipa --version VERSION: 4.4.0, API_VERSION: 2.213 Many thanks Michael -- ________________________________________________ *Michael**Gusek*| System Administrator| Webtrekk GmbH | *t*+49 30 755 415 302| *f *+49 30 755 415 100 | *w *www.webtrekk.com <https://www.webtrekk.com/?wt_mc=signature.-.-.-.homepageURL> Amtsgericht/Local Court Berlin, HRB 93435 B | Geschäftsführer/CEO Christian Sauer
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
