Sean McLennan via FreeIPA-users wrote:
/root/cacerts.p12 to see if the private keys exist there. The password is the Directory Manager password.
# pk12util -l /root/cacert.p12 |grep Friend
The names will appear twice, one for the private key and one for the public cert.
This is what I get: pk12util: PKCS12 decode not verified: SEC_ERROR_PKCS12_INVALID_MAC: Unable to import. Invalid MAC. Incorrect password or corrupt file. Friendly Name: caSigningCert cert-pki-ca Friendly Name: ocspSigningCert cert-pki-ca Friendly Name: subsystemCert cert-pki-ca Friendly Name: auditSigningCert cert-pki-ca Friendly Name: caSigningCert cert-pki-ca Friendly Name: ocspSigningCert cert-pki-ca Friendly Name: subsystemCert cert-pki-ca Friendly Name: auditSigningCert cert-pki-ca Friendly Name: Server-Cert cert-pki-ca
Ok you probably have all you need but the error message means the password is wrong. Without the password you're still stuck.
So if it's supposed to be the Directory Manager password, I'm sure I have that one right because I can use it for basic 'ldapsearch'es.
/root/cacert.p12 was last modified in Dec 2018 (~2 months after install?) and I have never changed the Directory Manager password since I installed freeipa.
With no real expectation they would work, I tried a couple other passwords I have related to ipa as well as the passwords in /etc/pki/pki-tomcat/alias/pwdfile.txt and /var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA. They didn't.
Anywhere else I can look?
It isn't stored anywhere.
I can't explain why cacert.p12 would be updated other than generating a domain level 0 replica installation file which wouldn't make sense with this version of IPA.
I'd see if you have any backups or other copies of these missing certificates somewhere.
rob