Sean McLennan via FreeIPA-users wrote:
It appears that almost all of my remaining "stuck" certs no longer exist in the NSS DB... (see below) is it possible for me to issue new ones?
The confusion centers around the fact that you reported running IPA 4.6.9 which is very different from the version you are actually running, 4.6.90.
There is no ipaCert any more so ignore that bit.
The missing certs are the real problem. You can look in /root/cacerts.p12 to see if the private keys exist there. The password is the Directory Manager password.
# pk12util -l /root/cacert.p12 |grep Friend
The names will appear twice, one for the private key and one for the public cert.
rob
On 2020-11-04 1:37 p.m., Sean McLennan via FreeIPA-users wrote:
On 2020-11-03 2:30 p.m., Rob Crittenden via FreeIPA-users wrote:
I'd suggest stopping certmonger and looking for the actual request file in /var/lib/certmonger/request (grep for id=<request id>).
Make sure that the value in key_pin matches the value in /etc/pki/pki-tomcat/alias/pwdfile.txt
I observed something that feels relevant. I was following the instructions here: https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
The log files don't show exactly what he says—I'm not sure if that's a version issue or something else. Not really finding errors (see below)
I don't seem to have 'ipaCert' anywhere?
certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca'
fails with
certutil: Could not find cert: subsystemCert cert-pki-ca : PR_FILE_NOT_FOUND_ERROR: File not found
as do all the others that are stuck in that location.
certutil -L -d /etc/pki/pki-tomcat/alias/
produces:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,u
Even if they were expired, shouldn't the others show up in the list? And of course, that date is rolled back so they shouldn't be expired...
More details and a summary of the state of things:
restarting certmonger and/or resubmitting certs does not cause certmonger to throw any errors; pki-tomcatd has too messages when it starts that don't stop it from starting: usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop cat: /usr/share/tomcat/conf/catalina.policy: No such file or directory
Nothing shows up with respect to the renewals shows up in /var/log/ipa/renew.log even when I modified the ca with 'dogtag-ipa-ca-renew-agent-submit -vv' There are a couple of things: ipalib.plugable DEBUG ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable DEBUG ipaserver.plugins.sudo is not a valid plugin module
If there are other errors elsewhere, I'm not sure where to look.
The passwords in /etc/pki/pki-tomcat/alias/pwdfile.txt (PIN1) and /var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA (PIN2) are /not/ the same. A third (different) password is in /etc/dirsrv/slapd-MYREALM-COM/pwdfile.txt (PIN3). Notes about key_pin and key_pin_file are from the individual request files in /var/lib/certmonger/requests/
These certs are now fine: type=FILE,location='/var/lib/ipa/*ra-agent.pem*' (no PIN in request) type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*auditSigningCert cert-pki-ca*',token='NSS Certificate DB' (request uses PIN1) type=NSSDB,location='/etc/dirsrv/*slapd-MYREALM-COM',nickname='Server-Cert'*,token='NSS Certificate DB' (PIN3) type=FILE,location='/var/lib/krb5kdc/*kdc.crt*'
These are broken:
Request ID '20181021083405': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083406': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083407': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083408': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083714': status: NEED_CSR_GEN_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' key_pin:PIN2
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...