Rob, Thanks for pointing me in the right direction. However after following the instructions in the above mentioned doc I noticed a few things that are odd and have a new problem. The first odd thing I noticed is that when I run service pki-cad status it shows that my PKI Subsystem Type is "CA Clone (Security Domain)" Shouldn't that say something like "CA Master"? Second, when I ran the "ipa-getcert resubmit -I [ID]" commands they all produced the same AUTH_FAIL message in the debug log.
Now the new problem...after pressing on and restarting things certmonger fails to start with a segfault. Starting certmonger: /bin/bash: line 1: 64935 Segmentation fault /usr/sbin/certmonger -S -p /var/run certmonger.pid Thanks! On Thu, Jul 28, 2016 at 3:36 PM, Rob Crittenden <[email protected]> wrote: > Lewis, Adam M CIV NSWCDD, H11 wrote: > >> We are currently dead in the water. Our OCSP, CA Audit, CA Subsystem, and >> IPA RA certs expired as of 7/23/16. I found and followed the instructions >> to the letter ( >> http://www.freeipa.org/page/Howto/Promote_CA_to_Renewal_and_CRL_Master#Procedure_in_FreeIPA_.3C_4.0) >> however the CA Subsystem and IPA RA certs will not renew. I've backdated >> the server to make sure the system was within the renewal window, but that >> has not help. >> > > Those are the wrong instructions. > > You want this instead, https://access.redhat.com/solutions/643753 > > A bunch of it is for 2.2 but it isn't exactly noted which parts. A general > rule is that you don't/shouldn't need to directly tweak the dogtag > configuration or do any of the start-tracking work (though you may want to > verify that what/if anything you changed from that wrong doc). > > When I run getcert list it reports: >> Ca-error: Sever at "https://<fqdn>:9443/ca/agent/ca/profileProcess" >> replied: 1: Authentication Error >> for both the IPA RA and CA Subsystem certs >> >> The debug log shows: >> SignedAuditEventFactory: create() >> message=[AuditEvent=AUTH_FAIL][SubjectID=$Unidentified$][Outcome=Failure][AuthMgr=certUserDBAuthMgr][AttemptedCred=CN=IPA >> RA,O=MISS.ION] authentication failure >> ReviewReqServlet: Invalid Credential. >> > > The place to start is to get the serial # of the ipaCert: > > # certutil -L -d /etc/httpd/alias -n ipaCert |grep Serial > > Now get the user from the dogtag LDAP server: > > # ldapsearch -h `hostname` -p 7389 -x -D 'cn=directory manager' -W -b > uid=ipara,ou=People,o=ipaca description > > The format is 2;<serial number>;<issuer subject>;<subject> > > See if the serial # matches ipaCert. I'm guessing it won't. Follow the > instructions on the page I cited to update the entry with the current > certificate and serial # values. That should get you going. > > rob > > > >> We are kind of in deep doo-doo until this gets resolved. >> >> We are running ipa-server-3.0.0-47.el6_7.2 on RHEL 6.5 >> >> Any thoughts? >> >> Thanks! >> >> Adam M. Lewis >> >> >> >> > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project > -- Adam M. Lewis [email protected] 10807 Allie Place Fredericksburg, VA 22408 540-412-8643
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
