Reading a lot I learned that certificates should be renewed automatically 28 before expiring.
But some of Certificates are now on less than 10 days. This is on the CA renewal master:
Request ID '20181008075404': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=OCSP Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:12:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181008075405': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=CA Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20181008075407': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=IPA RA,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:10:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Is there a way to get them renewed manually?
And I always forget, its CentOS 7.7 fully updated, Freeipa 4.6.5
After restarting (backup of the VM-images) the replica CA server now show:
Request ID '20181008070909': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=OCSP Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:12:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181008070910': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=CA Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20181008070913': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=IPA RA,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:10:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Christof Schulze via FreeIPA-users wrote:
Reading a lot I learned that certificates should be renewed automatically 28 before expiring.
But some of Certificates are now on less than 10 days. This is on the CA renewal master:
Request ID '20181008075404': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=OCSP Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:12:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181008075405': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=CA Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20181008075407': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=IPA RA,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:10:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Is there a way to get them renewed manually?
I'd start by checking the journal for messages from certmonger. It should have tried to renew them at least twice now. The other certificates were able to renew successfullyu?
You can force certmonger to try renewal with:
# getcert resubmit -i <id>
Or you can just restart certmonger and it'll re-evaluate things.
rob
The journal shows this on idm1 the CA renewal master (the same on the replicas only different time)
Nov 3 07:37:47 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111138. Nov 3 07:37:47 idm1 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111102. Nov 3 07:37:47 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111226. Nov 3 07:37:47 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20191130111054.
Restarting certmonger did not help.
Resubmitting the certificates on idm1 (renewal master) did renew the certificates there.
But they are not renewed on the replica masters (certmonger restarted, nothing in the journal). Is there a way to get more output from certmonger?
Is it ok to resubmit them on the replicas too?
On 22.11.19 14:51, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Reading a lot I learned that certificates should be renewed automatically 28 before expiring.
But some of Certificates are now on less than 10 days. This is on the CA renewal master:
Request ID '20181008075404': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=OCSP Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:12:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181008075405': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=CA Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20181008075407': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY subject: CN=IPA RA,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:10:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Is there a way to get them renewed manually?
I'd start by checking the journal for messages from certmonger. It should have tried to renew them at least twice now. The other certificates were able to renew successfullyu?
You can force certmonger to try renewal with:
# getcert resubmit -i <id>
Or you can just restart certmonger and it'll re-evaluate things.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Christof Schulze via FreeIPA-users wrote:
The journal shows this on idm1 the CA renewal master (the same on the replicas only different time)
Nov 3 07:37:47 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111138. Nov 3 07:37:47 idm1 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111102. Nov 3 07:37:47 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111226. Nov 3 07:37:47 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20191130111054.
Restarting certmonger did not help.
Ok, it examined the cert and didn't see it within one of its thresholds I guess.
Resubmitting the certificates on idm1 (renewal master) did renew the certificates there.
But they are not renewed on the replica masters (certmonger restarted, nothing in the journal). Is there a way to get more output from certmonger?
Create /etc/sysconfig/certmonger with the contents: OPTS=-d3
then restart certmonger.
Is it ok to resubmit them on the replicas too?
Yes.
rob
On 22.11.19 14:51, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Reading a lot I learned that certificates should be renewed automatically 28 before expiring.
But some of Certificates are now on less than 10 days. This is on the CA renewal master:
Request ID '20181008075404': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
subject: CN=OCSP Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
expires: 2019-11-30 11:12:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181008075405': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
subject: CN=CA Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
expires: 2019-11-30 11:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20181008075407': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
subject: CN=IPA RA,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:10:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Is there a way to get them renewed manually?
I'd start by checking the journal for messages from certmonger. It should have tried to renew them at least twice now. The other certificates were able to renew successfullyu?
You can force certmonger to try renewal with:
# getcert resubmit -i <id>
Or you can just restart certmonger and it'll re-evaluate things.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Everything works again, thank you for all the help.
On 22.11.19 16:08, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
The journal shows this on idm1 the CA renewal master (the same on the replicas only different time)
Nov 3 07:37:47 idm1 certmonger: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111138. Nov 3 07:37:47 idm1 certmonger: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111102. Nov 3 07:37:47 idm1 certmonger: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20191130111226. Nov 3 07:37:47 idm1 certmonger: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20191130111054.
Restarting certmonger did not help.
Ok, it examined the cert and didn't see it within one of its thresholds I guess.
Resubmitting the certificates on idm1 (renewal master) did renew the certificates there.
But they are not renewed on the replica masters (certmonger restarted, nothing in the journal). Is there a way to get more output from certmonger?
Create /etc/sysconfig/certmonger with the contents: OPTS=-d3
then restart certmonger.
Is it ok to resubmit them on the replicas too?
Yes.
rob
On 22.11.19 14:51, Rob Crittenden via FreeIPA-users wrote:
Christof Schulze via FreeIPA-users wrote:
Reading a lot I learned that certificates should be renewed automatically 28 before expiring.
But some of Certificates are now on less than 10 days. This is on the CA renewal master:
Request ID '20181008075404': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
subject: CN=OCSP Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
expires: 2019-11-30 11:12:26 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181008075405': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
subject: CN=CA Subsystem,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
expires: 2019-11-30 11:11:38 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20181008075407': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY
subject: CN=IPA RA,O=EXAMPLE.COM,OU=Institute,C=DE,E=christof.schulze@fau.de,L=CITY expires: 2019-11-30 11:10:54 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Is there a way to get them renewed manually?
I'd start by checking the journal for messages from certmonger. It should have tried to renew them at least twice now. The other certificates were able to renew successfullyu?
You can force certmonger to try renewal with:
# getcert resubmit -i <id>
Or you can just restart certmonger and it'll re-evaluate things.
rob _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org