On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote: > Nalin, > > Thanks for your response. Running `hostname` does result in > ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed. > > I ran ` ipa-getcert resubmit -i 20120925200227 -K HTTP/ > ipa01.ctidata....@ctidata.net` > > and it resulted in this: > > Request ID '20120615190133': > status: CA_UNCONFIGURED > ca-error: Error setting up ccache for local "host" service using default > keytab. > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert' > CA: IPA > issuer: > subject: > expires: unknown > track: yes > auto-renew: yes
Can you retrieve the contents of the request and save it to a temporary file, like so: reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*` awk '/BEGIN .*REQ/,/END .*REQ/ {sub("^( |csr=)","");print}' $reqfile >\ ~/req.csr And then try to manually submit it to the server for signing, in the way that certmonger would, like so: /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr Hopefully the error output there will give us more information about what's going on when the submission helper's failing to set up a ccache. If it manages to get past that point, I expect it to fail because you hopefully don't have a principal named "bogus" defined on the local host. But at that point we'll have gotten past errors creating the ccache, and we'll have to find another way to figure out why it failed here. As an aside, we provide better information for this error in the "ca-error" note with later versions than you appear to have, so tracking down this information won't always be this complicated. > Request ID '20120925200227': > status: CA_UNREACHABLE > ca-error: Server failed request, will retry: -504 (libcurl failed to > execute the HTTP POST transaction, explaining: Peer certificate cannot be > authenticated with known CA certificates). > stuck: yes > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=CTIDATA.NET > subject: CN=ipa01.ctidata.net,O=CTIDATA.NET > expires: 2013-03-24 19:56:36 UTC > eku: id-kp-serverAuth > track: yes > auto-renew: yes There's an error verifying the server's certificate using the local copy of the CA certificate in /etc/ipa/ca.crt. Is it also expired? Nalin _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users