giri f via FreeIPA-users wrote: > of certificates and requests being tracked: 9. est ID 20200416082225': > status: CA UNREACHABLE > ca-error: Error 35 connecting to > https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: > SS connect error. > stuck: no > key pair storage: type-FILE, location=' /var/lib/ipa/ra-agent.key' > certificate: type-FILE, location=' /var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=IPA RA, 0-ipa360. > ORG expires: 2024-02-25 18:27:39 UTC > key usage: digitalsignature, keyEncipherment, dataEncipherment eku: > id-kp-serverAuth, id-kp-clientAuth pre-save command: > /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: > /usI/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes > Request ID 20200416082243': > status: CA UNREACHABLE > ca-error: Error 35 connecting to > https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: > SSL connect error. > stuck: no > key pair storage: type-NSSDB, location=' /etc/pki/pki-tomcat/alias', > nickname='auditSigningCert cert-pki-ca', token-'OSS Certificate DB', pin s > certificate: type=NSSDB, > location='/etc/pki/pki-toncat/alias',nickname='auditSigningCert cert-pki-ca', > token= 'NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=CA Audit, > 0-ipa360. ORG expires: 2024-02-25 18:27:49 UTC > key usage: digitalSignature, nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > I > post-save command: /us/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert > cert-pki-ca" > track:yes > auto-renew: yes > Request > ID 20200416082244*: status: CA UNREACHABLE > ca-error: Error 35 connecting to > https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: > SSI connect error. > stuck: no > key pair storage: type-NSSDB, location='/etc/pki/pki-tomcat/alias', > nickname-'ocspsigningCert cert-pki-ca', token= 'NSS > Certificate DB', pin > set > certificate: type-NSSDB, location»'/etc/pki/pki-tomcat/alias', > nickname='ocspsigningert cert-pki-ca', token= 'NSS Certificate > DB" > CA: dogtag-ipa-ca-renew-agent > issuer: CN-Certificate Authority, 0-ipa360. ORG subject: CN-OCSP Subsystem, > 0-ipa360. ORG expires: 2024-02-25 18:27:19 UTC > eku: id-kp-ocspsigning > pre-save command: /us/Libexec/ipa/certmonger/stop_pkicad > post-save command: /usT/libexec/jpa/certmonger/renew_ca_cert "ocspsigningcert > cert-pki-ca" > track: yes auto-renew: yes > Request ID 20200416082245'₽
So you'll need to back in time to February of this year. Restart IPA (be sure ntpd isn't restarted) and ensure things are basically functioning. The restart certmonger and it should renew the certificates assuming this server is the renewal master (ipa config-show will tell you). Once the certificates are successfully renewed, move forward in time, restart IPA and things should continue to work. rob -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
