Hi, let's get an accurate status first: - how many IPA servers do you have with a CA role? ipa server-role-find --role "CA server" - among those, which one is the renewal master? ipa config-show | grep renewal - can you provide the full output of "getcert list" executed on the IPA renewal master - is the new root CA present in /etc/ipa/ca.crt (this file should contain IPA CA cert + the new and old root ca) - is the new root CA present in /etc/ipa/nssdb, /etc/httpd/alias, /etc/dirsrv/slapd-xx, /etc/pki/pki-tomcat/alias ? Use certutil -L -d <path/to/nssdb> to check the list of certs - is the new IPA CA present in the same nss databases?
flo On Fri, Mar 11, 2022 at 4:05 PM Eric Boisvert via FreeIPA-users < [email protected]> wrote: > Good morning everyone, > > Unfortunately before being able to renew my clients CA I need to fix an > issue that prevent FreeIPA from starting. With the help of a coworker we > found that pki-tomcatd failed to start. > > We then found this documentation about the problem: > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ > . If I'm not wrong it was written by Florence. > > When I'm trying to read the /var/log/pki/pki-tomcat/ca/debug file it's > empty. From there I'm a bit lost and don't know where I can find useful log > to help me. > > > > Should I start a new thread with this problem? > > > Also is it possible to do remote debugging, google meet, zoom, etc. with > someone to further help us with our problem? > > > Thanks again for your help and time. > > Eric > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
