Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt But it seems that the spa-server-upgrade brakes them again: named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes > El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <[email protected]> escribió: > > Thanks Jochen, > > I tried following the post but the getcert command is complaining about the > syntax and I can’t find why. According to man page, the parameters are right. > > I also tried to remove the certs and run spa-server-upgrade but it generates > new certs and fails at the same point (new certs are also pending pin > information) > It looks like I will need a way to unstuck those certs for the upgrade to > continue. > All suggestions are Wellcome :-) > Regards > >> El 1 dic. 2022, a las 01:30, Jochen Kellner <[email protected]> escribió: >> >> >> Hello Juan, >> >> Juan Pablo Lorier via FreeIPA-users >> <[email protected]> writes: >> >>> You are right, there are several certificates stuck in dc2: >>> >>> getcert list >> ... >>> Request ID '20221130160320': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >> >> My google-fu point to that comment in an issue: >> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-659962943 >> That has the commands to fix the issue. >> >> Another possibility should be to stop-tracking the certificates and run >> ipa-server-upgrade which should restore the trackings. Right? >> >> Jochen >> >> -- >> This space is intentionally left blank. >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
