> > > It seems that 2 different repair procedures were mixed: go back in time > and use ipa-cert-fix. With ipa-cert-fix you don't need to change the > current time. In order to fix the issue, we need to have the full picture: > - what is the full output of getcert list (please include the "current" > date on the system for us to know which certs are considered still valid) > - which node is the renewal master (ipa config-show | grep "IPA CA renewal > master") >
Yes, I had to turn back the clock because the directory server wouldn't start causing ipa-cert-fix to not work. Here's the fulloutput: [root@freeipa ~]# getcert list Number of certificates and requests being tracked: 9. Request ID '20180504194716': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2022-02-11 18:03:36 UTC principal name: krbtgt/rhelent....@rhelent.lan certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20210601131816': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Audit,O=RHELENT.LAN expires: 2023-05-01 18:06:01 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131818': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=OCSP Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:04 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131820': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=CA Subsystem,O=RHELENT.LAN expires: 2023-05-01 18:04:11 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131821': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=Certificate Authority,O=RHELENT.LAN expires: 2035-09-03 19:24:04 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131823': status: NEED_TO_SUBMIT ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=IPA RA,O=RHELENT.LAN expires: 2021-06-08 16:52:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20210601131824': status: NEED_TO_SUBMIT ca-error: Error 7 connecting to http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-06-08 16:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20210601131827': status: NEED_TO_SUBMIT ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-07-11 16:52:10 UTC principal name: ldap/freeipa.rhelent....@rhelent.lan key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN track: yes auto-renew: yes Request ID '20210601131835': status: NEED_TO_SUBMIT ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=RHELENT.LAN subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN expires: 2021-07-12 16:52:09 UTC principal name: HTTP/freeipa.rhelent....@rhelent.lan key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes There's only one node > > The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert > list) is 20210601131824, meaning that the corresponding request file can be > found with > # grep -l "id=20210601131824" /var/lib/certmonger/requests/* > Ah, found it. It was in a different file then I expected. Thank you. I moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with the current date): # ipa-cert-fix WARNING ipa-cert-fix is intended for recovery when expired certificates prevent the normal operation of IPA. It should ONLY be used in such scenarios, and backup of the system, especially certificates and keys, is STRONGLY RECOMMENDED. The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 23 Expires: 2021-06-08 16:53:15 IPA IPA RA certificate: Subject: CN=IPA RA,O=RHELENT.LAN Serial: 21 Expires: 2021-06-08 16:52:45 IPA Apache HTTPS certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 26 Expires: 2021-07-12 16:52:09 IPA LDAP certificate: Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN Serial: 25 Expires: 2021-07-11 16:52:10 Enter "yes" to proceed: yes Proceeding. [Errno 2] No such file or directory: '/etc/pki/pki-tomcat/certs/sslserver.crt' The ipa-cert-fix command failed. Thanks Marc
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure