I've inhereted an IPA infrastructure for a group in my organization. So I've got a RHEL instance with a IPA 3.0.0 server with expired certs. [root@ipa ~]# rpm -qa | grep ipa-serveripa-server-selinux-3.0.0-26.el6_4.2.x86_64ipa-server-3.0.0-26.el6_4.2.x86_64[root@ipa ~]#
[root@ipa ~]# getcert listNumber of certificates and requests being tracked: 8.Request ID '20130404232110': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Audit,O=IDEF expires: 2017-02-15 19:26:38 UTC key usage: digitalSignature,nonRepudiation pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232111': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=OCSP Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC eku: id-kp-OCSPSigning pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232112': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=CA Subsystem,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232113': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=IPA RA,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232114': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa.infra.idef:9180/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='242557339296' certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2017-02-15 19:25:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232127': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IDEF/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IDEF',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:21:26 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232155': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:21:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yesRequest ID '20130404232517': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'IDEF'. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IDEF subject: CN=ipa.infra.idef,O=IDEF expires: 2015-04-05 23:25:17 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Now, I've tried following the instructions under the following link for fixing expired certs: https://www.freeipa.org/page/Howto/CA_Certificate_Renewal However, I run into a many issues, first I don't know what the <pin> is referenced very early on the instruction set. I Googled a bit an saw some advice about rolling the clock back, then restarting certmonger to renew the certs. Here is the output of that process. [root@ipa ~]# dateThu Apr 10 00:13:51 EDT 2014[root@ipa ~]# /etc/init.d/certmonger restartStopping certmonger: [ OK ]Starting certmonger: [ OK ][root@ipa ~]# That did not work. Here are some errors from syslog Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm ‘MyORG’.Apr 10 00:13:57 ipa certmonger: Error 7 connecting to http://myhost.mydomain.com:9180/ca/ee/ca/profileSubmit: Couldn't connect to server.Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MyORG'.Apr 10 00:13:57 ipa certmonger: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MyORG'. Any ideas would greatly be appreciated. Thanks.
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
