> - how many IPA servers do you have with a CA role? ipa server-role-find
> --role "CA server"
We only have one IPA server executing the above command return:
ipa: ERROR: cannot connect to 'https://freeipa.qc.lrtech.ca/ipa/json':
Could not connect to freeipa.qc.lrtech.ca using any address:
(PR_ADDRESS_NOT_SUPPORTED_ERROR) Network address type not supported.
> - among those, which one is the renewal master? ipa config-show | grep
Since we have only 1 server it should be freeipa.qc.lrtech.ca but the command
return the same error as above.
> - can you provide the full output of "getcert list" executed on the IPA
> renewal master
# getcert list
Number of certificates and requests being tracked: 8.
Request ID '20170113205242':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=CA Audit,O=QC.LRTECH.CA
expires: 2022-03-03 20:49:21 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170113205243':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=OCSP Subsystem,O=QC.LRTECH.CA
expires: 2022-03-03 20:49:21 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170113205244':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=CA Subsystem,O=QC.LRTECH.CA
expires: 2022-03-03 20:49:21 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170113205245':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: [email protected],CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR
Tech inc.,L=Levis,ST=Quebec,C=CA
subject: CN=Certificate Authority,O=QC.LRTECH.CA
expires: 2027-03-04 14:26:48 UTC
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170113205246':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=IPA RA,O=QC.LRTECH.CA
expires: 2022-03-03 20:49:21 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20170113205247':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
expires: 2024-02-21 21:06:54 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20170113205302':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-QC-LRTECH-CA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
expires: 2024-03-02 05:02:09 UTC
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
QC-LRTECH-CA
track: yes
auto-renew: yes
Request ID '20220304195651':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QC.LRTECH.CA
subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA
expires: 2024-03-02 05:01:51 UTC
dns: freeipa.qc.lrtech.ca
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
> - is the new root CA present in /etc/ipa/ca.crt (this file should contain IPA
> CA cert + the new and old root ca)
Yes, both certificate are present
> - is the new root CA present in /etc/ipa/nssdb, /etc/httpd/alias,
> /etc/dirsrv/slapd-xx, /etc/pki/pki-tomcat/alias ?
Yes, for the 4 path above
> - is the new IPA CA present in the same nss databases?
The IPA CA cert might not be in slapd-xx see below for the content:
# certutil -L -d /etc/ipa/nssdb
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
[email protected],CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=QC,C=CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
[email protected],CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=Quebec,C=CA ,,
# certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
ipaCert u,u,u
[email protected],CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=QC,C=CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
Server-Cert u,u,u
Signing-Cert u,u,u
QC.LRTECH.CA IPA CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
[email protected],CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=Quebec,C=CA ,,
# certutil -L -d /etc/dirsrv/slapd-QC-LRTECH-CA/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
[email protected],CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=QC,C=CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
QC.LRTECH.CA IPA CA CT,C,C
[email protected],CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=Quebec,C=CA ,,
Server-Cert u,u,u
# certutil -L -d /etc/pki/pki-tomcat/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
[email protected],CN=LR Tech inc. ROOT CA,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=QC,C=CA CT,C,C
Server-Cert cert-pki-ca u,u,u
ocspSigningCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
caSigningCert cert-pki-ca CTu,Cu,Cu
[email protected],CN=LR Tech inc. Root CA 2022,OU=Intranet,O=LR Tech
inc.,L=Levis,ST=Quebec,C=CA C,,
Eric
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
