Marc Boorshtein wrote: > > > It didn't fail on the subsystem certificate, it failed on the TLS > certificate for the CA itself (it seems). You can check that with: > > getcert list -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" > > > Here's the output: > > [root@freeipa ca]# getcert list -d /etc/pki/pki-tomcat/alias -n > "Server-Cert cert-pki-ca" > Number of certificates and requests being tracked: 9. > Request ID '20210601131824': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > expires: 2021-06-08 16:53:15 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > > > > > > > > If it expires in 2023 then you're ok with the CA anyhow. > > > Listed as expiring in 2021. Can I force this to be re-issued?
Looks like you're running into https://bugzilla.redhat.com/show_bug.cgi?id=1780782 The fix wasn't backported to the ipa-4.6 branch. Try retrieving the CSR from certmonger as suggested in the BZ. rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure