Scott Stevson via FreeIPA-users wrote: > Hey Rob, > > It's the NSSDB cert. Here's some console output that might be helpful. > > PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358 > Request ID '20150827000358': > status: MONITORING > ca-error: Server at > "http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit" replied: 1: > Server Internal Error > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=COMPANY.LOCAL > subject: CN=IPA RA,O=COMPANY.LOCAL > expires: 2017-08-15 20:17:52 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > As for how this happened: We're not entirely sure yet but the working theory > is the SRE who provisioned the new CA master didn't fully remove all > references to the old one. I need to track down a few more people and > details in order to answer this fully. > > As for the CA debug log. I don't see any references to failures per se, and > I'm wondering if there's something I can do to force an error that'll be > useful to you. Again, the failure I referenced earlier is a our Nagios check > for certmonger that simply reacts to the output `getcert list` returns. > Versions of this are all I see in the debug logs. > > [08/Aug/2017:15:39:31][TP-Processor9]: CMSServlet: curDate=Tue Aug 08 > 15:39:31 UTC 2017 id=caProfileSubmitSSLClient time=62
certmonger doesn't use SRV records to lookup an IPA master. Update the xmlrpc_server entry in /etc/ipa/default.conf to point to a working IPA server and that should fix this for you after a certmonger restart. There is a bug open on this we just haven't gotten to it yet. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org