Juan Pablo Lorier wrote: > Ok, I fixed the certs following other ticket but using the pin file > pointed in the link you sent me. > Result: > > ipa-getcert start-tracking -i 20221201163932 -p > /etc/pki/pki-tomcat/alias/pwdfile.txt
I don't know what request 20221201163932 is but you need to add the pin file to all of the CA-related trackers. rob > > But it seems that the spa-server-upgrade brakes them again: > > named user config '/etc/named/ipa-ext.conf' already exists > named user config '/etc/named/ipa-options-ext.conf' already exists > named user config '/etc/named/ipa-logging-ext.conf' already exists > [Upgrading CA schema] > CA schema update complete > [Update certmonger certificate renewal configuration] > Missing or incorrect tracking request for certificates: > /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca > /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca > /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca > /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca > Certmonger certificate renewal configuration updated > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Adding default OCSP URI configuration] > [Disabling cert publishing] > pki-tomcat configuration changed, restart pki-tomcat > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > Migrating profile 'acmeServerCert' > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > NetworkError: cannot connect to > 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > > > > > > Request ID '20221201164512': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221201164513': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221201164514': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221201164515': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > >> El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <[email protected] >> <mailto:[email protected]>> escribió: >> >> Thanks Jochen, >> >> I tried following the post but the getcert command is complaining >> about the syntax and I can’t find why. According to man page, the >> parameters are right. >> >> I also tried to remove the certs and run spa-server-upgrade but it >> generates new certs and fails at the same point (new certs are also >> pending pin information) >> It looks like I will need a way to unstuck those certs for the upgrade >> to continue. >> All suggestions are Wellcome :-) >> Regards >> >>> El 1 dic. 2022, a las 01:30, Jochen Kellner <[email protected] >>> <mailto:[email protected]>> escribió: >>> >>> >>> Hello Juan, >>> >>> Juan Pablo Lorier via FreeIPA-users >>> <[email protected] >>> <mailto:[email protected]>> writes: >>> >>>> You are right, there are several certificates stuck in dc2: >>>> >>>> getcert list >>> ... >>>> Request ID '20221130160320': >>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> >>> My google-fu point to that comment in an issue: >>> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-659962943 >>> That has the commands to fix the issue. >>> >>> Another possibility should be to stop-tracking the certificates and run >>> ipa-server-upgrade which should restore the trackings. Right? >>> >>> Jochen >>> >>> -- >>> This space is intentionally left blank. >> > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
