journal seems empty for certmonger. I just see some stuff in messages: # grep certmonger /var/log/messages* /var/log/messages-20191215:Dec 8 08:21:11 ipa certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20200104123512. /var/log/messages-20191215:Dec 8 08:21:11 ipa certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20200104123512. /var/log/messages-20191215:Dec 8 08:21:11 ipa certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20200104123511. /var/log/messages-20191215:Dec 8 08:21:11 ipa certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20200104123538. /var/log/messages-20191215:Dec 8 08:21:35 ipa certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. /var/log/messages-20191215:Dec 8 16:21:39 ipa certmonger: 2019-12-08 16:21:39 [15599] Invalid cookie: u'' /var/log/messages-20191215:Dec 8 16:21:49 ipa certmonger: 2019-12-08 16:21:49 [15599] Invalid cookie: u'' /var/log/messages-20191215:Dec 8 16:21:59 ipa certmonger: 2019-12-08 16:21:59 [15599] Invalid cookie: u''
, which is weird; 20200104123511 is in the future... On Sun, Dec 22, 2019 at 9:04 PM Florence Blanc-Renaud <f...@redhat.com> wrote: > On 12/22/19 6:28 PM, Alex Corcoles via FreeIPA-users wrote: > > Thanks! > > > > On Sun, Dec 22, 2019 at 11:13 AM Florence Blanc-Renaud <f...@redhat.com > > <mailto:f...@redhat.com>> wrote: > > > > 4. On the other replicas, check that the certificate has been > properly > > installed in the NSS database /etc/httpd/alias/ or in > > /var/lib/ipa/ra-agent.pem. > > If it's not the case, you can manually install the cert or call > getcert > > resubmit -i <ID of the tracking for RA agent> > > Make sure that the request completed successfully with > > $ getcert list -i <ID> > > (the status must be: MONITORING) > > > > The ID can be found with: > > getcert list -f /var/lib/ipa/ra-agent.pem > > or > > getcert list -n ipaCert > > > > > > So on my renewal master, this was the cert: > > > > $ sudo getcert list -i 20180929065626 > > Number of certificates and requests being tracked: 9. > > Request ID '20180929065626': > > > > but on the broken replica: > > > > $ sudo getcert resubmit -i 20180929065626 > > No request found with specified nickname. > > > That's expected, as the request ID is different on each host. > > > However, copying the file over worked. Thanks! > Glad to know that the solution worked for you. So it means that the > renewal did not proceed on the replicas. Could you check if there were > any logs in the replica journal, that could help us understand why > renewal failed? > $ journalctl -t certmonger > (look for lines mentioning "Certificate in file > "/var/lib/ipa/ra-agent.pem" issued by CA and saved." or errors for this > cert renewal. > > flo > > > > > Hopefully, this now will be googleable, although I'd humbly suggest that > > this could be documented somewhere? (and it would be brilliant if the > > ipa-healthcheck output pointed to it). > > > > Cheers, > > > > Álex > > -- > > ___ > > {~._.~} > > ( Y ) > > ()~*~() mail: alex at corcoles dot net > > (_)-(_) http://alex.corcoles.net/ > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > > To unsubscribe send an email to > freeipa-users-le...@lists.fedorahosted.org > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > > > > -- ___ {~._.~} ( Y ) ()~*~() mail: alex at corcoles dot net (_)-(_) http://alex.corcoles.net/
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
