On 2020-11-03 2:30 p.m., Rob Crittenden via FreeIPA-users wrote:
I'd suggest stopping certmonger and looking for the actual request file in /var/lib/certmonger/request (grep for id=<request id>).
Make sure that the value in key_pin matches the value in /etc/pki/pki-tomcat/alias/pwdfile.txt
I observed something that feels relevant. I was following the instructions here: https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
The log files don't show exactly what he says—I'm not sure if that's a version issue or something else. Not really finding errors (see below)
I don't seem to have 'ipaCert' anywhere?
certutil -L -d /etc/pki/pki-tomcat/alias/ -n 'subsystemCert cert-pki-ca'
fails with
certutil: Could not find cert: subsystemCert cert-pki-ca : PR_FILE_NOT_FOUND_ERROR: File not found
as do all the others that are stuck in that location.
certutil -L -d /etc/pki/pki-tomcat/alias/
produces:
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,u
Even if they were expired, shouldn't the others show up in the list? And of course, that date is rolled back so they shouldn't be expired...
More details and a summary of the state of things:
restarting certmonger and/or resubmitting certs does not cause certmonger to throw any errors; pki-tomcatd has too messages when it starts that don't stop it from starting: usr/share/pki/scripts/config: line 41: break: only meaningful in a `for', `while', or `until' loop cat: /usr/share/tomcat/conf/catalina.policy: No such file or directory
Nothing shows up with respect to the renewals shows up in /var/log/ipa/renew.log even when I modified the ca with 'dogtag-ipa-ca-renew-agent-submit -vv' There are a couple of things: ipalib.plugable DEBUG ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable DEBUG ipaserver.plugins.sudo is not a valid plugin module
If there are other errors elsewhere, I'm not sure where to look.
The passwords in /etc/pki/pki-tomcat/alias/pwdfile.txt (PIN1) and /var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA (PIN2) are /not/ the same. A third (different) password is in /etc/dirsrv/slapd-MYREALM-COM/pwdfile.txt (PIN3). Notes about key_pin and key_pin_file are from the individual request files in /var/lib/certmonger/requests/
These certs are now fine: type=FILE,location='/var/lib/ipa/*ra-agent.pem*' (no PIN in request) type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='*auditSigningCert cert-pki-ca*',token='NSS Certificate DB' (request uses PIN1) type=NSSDB,location='/etc/dirsrv/*slapd-MYREALM-COM',nickname='Server-Cert'*,token='NSS Certificate DB' (PIN3) type=FILE,location='/var/lib/krb5kdc/*kdc.crt*'
These are broken:
Request ID '20181021083405': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083406': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083407': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083408': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' key_pin:PIN1
Request ID '20181021083714': status: NEED_CSR_GEN_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' key_pin:PIN2