Hi, On Thu, Dec 19, 2024 at 9:09 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> I turned back in time, and fixed certs with resubmit command after "-c" > option, and now 2 last seems fine. But the other 6 can't find CA. > What if change their CA to "CA: IPA" ? > Please don't. The certificates that are tracked with dogtag-ipa-ca-renew-agent are shared certificates (the same cert is installed on all the replicas and the CA helper is smart enough to know if he needs to request a new certificate or download the new one). If you switch the the CA:IPA, your topology looses this logic. Do you have any strong reason for using the method go-back-in-time rather than ipa-cert-fix command? The drawback is that you need to carefully select your date in the past: the certificates must not be expired yet but also have to *be already valid* (LDAP and HTTP certs have been renewed, they will expire 2026-10-18, but what is their valid-from date? If you go back in the past to a date before they are valid, they are unusable). flo screenshot with "https://ipa.dom.loc:8443/ca/agent/ca/profileReview"; page: > https://i.ibb.co/bXsvYBD/image.png > ----------------------------------------------------- > Number of certificates and requests being tracked: 8. > Request ID '20221130052539': > status: CA_UNREACHABLE > ca-error: Error 77 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL > CA cert (path? access rights?). > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=CA Audit,O=DOM.LOC > expires: 2024-11-19 05:25:15 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052540': > status: CA_UNREACHABLE > ca-error: Error 77 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL > CA cert (path? access rights?). > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=OCSP Subsystem,O=DOM.LOC > expires: 2024-11-19 05:25:14 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052541': > status: CA_UNREACHABLE > ca-error: Error 77 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL > CA cert (path? access rights?). > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=CA Subsystem,O=DOM.LOC > expires: 2024-11-19 05:25:14 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052542': > status: CA_UNREACHABLE > ca-error: Error 77 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL > CA cert (path? access rights?). > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=Certificate Authority,O=DOM.LOC > expires: 2042-11-30 05:25:14 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052543': > status: CA_UNREACHABLE > ca-error: Error 77 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL > CA cert (path? access rights?). > stuck: no > key pair storage: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=IPA RA,O=DOM.LOC > expires: 2024-11-19 05:25:36 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20221130052544': > status: CA_UNREACHABLE > ca-error: Error 77 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL > CA cert (path? access rights?). > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=ipa.dom.loc,O=DOM.LOC > expires: 2024-11-19 05:25:14 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052605': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=ipa.dom.loc,O=DOM.LOC > expires: 2026-10-18 20:36:25 UTC > principal name: ldap/ipa.dom....@dom.loc > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC > track: yes > auto-renew: yes > Request ID '20221130052625': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=ipa.dom.loc,O=DOM.LOC > expires: 2026-10-18 20:36:33 UTC > principal name: HTTP/ipa.dom....@dom.loc > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
