On Wed, Jan 04, 2017 at 01:19:19PM +0000, Christophe TREFOIS wrote: > Hi Florence, > > I did what you said, and then the status went to CA_WORKING. Then I restart > ipa and certmonger and the status went to CA_UNREACHABLE. > Then i did “resubmit” again and now the status is back to MONITORING, but the > cookie error is back. > > Any advice? > I have encountered the cookie error before. IIRC it was caused by authn certs in Dogtag user entries not matching the client certs used.
Check the following entries: 1. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \ -b uid=pkidbuser,ou=people,o=ipaca userCertificate`` should match ``certutil -d /etc/pki/pki-tomcat/alias -L -n "subsystemCert cert-pki-ca"`` 2. ``ldapsearch -LLL -D cn=directory\ manager -w4me2Test \ -b uid=ipara,ou=people,o=ipaca userCertificate`` should match ``certutil -d /etc/httpd/alias -L -n "ipaCert"`` If either of these do not match, update LDAP with what is in the certificate databases (a.k.a. NSSDBs). Ensure all certs are non-expired, etc. HTH, Fraser > [root@lums3 ~]# getcert list -n ipaCert > Number of certificates and requests being tracked: 8. > Request ID '20161216025136': > status: MONITORING > ca-error: Invalid cookie: '' > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=UNI.LU > subject: CN=IPA RA,O=UNI.LU > expires: 2018-12-16 03:13:48 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > -- > > Dr Christophe Trefois, Dipl.-Ing. > Technical Specialist / Post-Doc > > UNIVERSITÉ DU LUXEMBOURG > > LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE > Campus Belval | House of Biomedicine > 6, avenue du Swing > L-4367 Belvaux > T: +352 46 66 44 6124 > F: +352 46 66 44 6949 > http://www.uni.lu/lcsb <http://www.uni.lu/lcsb> > <https://www.facebook.com/trefex> <https://twitter.com/Trefex> > <https://plus.google.com/+ChristopheTrefois/> > <https://www.linkedin.com/in/trefoischristophe> <http://skype:Trefex?call> > ---- > This message is confidential and may contain privileged information. > It is intended for the named recipient only. > If you receive it in error please notify me and permanently delete the > original message and any copies. > ---- > > > > > On 4 Jan 2017, at 13:49, Florence Blanc-Renaud <f...@redhat.com> wrote: > > > > getcert resubmit -i <id for ipaCert> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project