Hi! Here is the output of ipa-cert-fix on the original instance:
``` The following certificates will be renewed: Dogtag sslserver certificate: Subject: CN=ipa.DOMAIN.COM,O=DOMAIN.COM Serial: 3 Expires: 2024-03-19 20:36:25 Dogtag subsystem certificate: Subject: CN=CA Subsystem,O=DOMAIN.COM Serial: 4 Expires: 2024-03-19 20:36:27 Dogtag ca_ocsp_signing certificate: Subject: CN=OCSP Subsystem,O=DOMAIN.COM Serial: 2 Expires: 2024-03-19 20:36:24 Dogtag ca_audit_signing certificate: Subject: CN=CA Audit,O=DOMAIN.COM Serial: 5 Expires: 2024-03-19 20:36:30 IPA IPA RA certificate: Subject: CN=IPA RA,O=DOMAIN.COM Serial: 7 Expires: 2024-03-19 20:38:19 IPA KDC certificate: Subject: CN=ipa.DOMAIN.COM,O=DOMAIN.COM Serial: 10 Expires: 2024-03-30 20:40:27 Enter "yes" to proceed: yes Proceeding. CalledProcessError(Command ['pki-server', 'cert-fix', '--ldapi-socket', '/run/slapd-DOMAIN-COM.socket', '--agent-uid', 'ipara', '--cert', 'sslserver' , '--cert', 'subsystem', '--cert', 'ca_ocsp_signing', '--cert', 'ca_audit_signing', '--extra-cert', '7', '--extra-cert', '10'] returned non-zero exit stat us 1: "INFO: Loading instance: pki-tomcat\nINFO: Loading global Tomcat config: /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config: /usr/share/pki/et c/tomcat.conf\nINFO: Loading instance Tomcat config: /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config: /etc/pki/pki-tomcat/password.conf\nIN FO: Loading subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Loading subsystem registry: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO : Loading instance registry: /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following system certs: ['sslserver', 'subsystem', 'ca_ocsp _signing', 'ca_audit_signing']\nINFO: Renewing the following additional certs: ['7', '10']\nINFO: Stopping the instance to proceed with system cert renewa l\nINFO: Configuring LDAP connection for CA\nINFO: Setting pkidbuser password via ldappasswd\nSASL/EXTERNAL authentication started\nSASL username: gidNumb er=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing regis try config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing registry c onfig: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests disabled for subsystems: ca\nSASL/EXTERNAL authentication started\nSASL username: gid Number=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO: Resetting password for uid=ipara,ou=people,o=ipaca\nSASL/EXTERNAL authentication started\nSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO: Creating a temporary sslserver cert\nINFO: Getting ssl server cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nINFO: Trying to create a new temp cert for sslserver.\nINFO: Generate t emp SSL certificate\nINFO: Getting sslserver cert info from CS.cfg\nINFO: Getting sslserver cert info from NSS database\nINFO: CSR for sslserver has been written to /tmp/tmpydx011j8/sslserver.csr\nINFO: Getting signing cert info from CS.cfg\nINFO: Getting signing cert info from NSS database\nINFO: CA cert w ritten to /tmp/tmpydx011j8/ca_certificate.crt\nINFO: AKI: 0x7A0D23C6A1283EB899A0E5A4EFA3F92042F7F6D0\nINFO: Storing subsystem config: /var/lib/pki/pki-tom cat/ca/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/ca/conf/registry.cfg\nINFO: Selftests enabled for subsystems: ca\nINFO: Restori ng LDAP connection for CA\nINFO: Storing subsystem config: /var/lib/pki/pki-tomcat/ca/conf/CS.cfg\nINFO: Storing registry config: /var/lib/pki/pki-tomcat/ ca/conf/registry.cfg\nERROR: Failed to generate CA-signed temp SSL certificate. RC: 255\n") The ipa-cert-fix command failed. ``` > If you have a backup of the previous http/ldap certs you can put them back > in place. Unfortunately, I don't have these anymore. However, I tried the approach I described above on a copy of the data in another container, managed to install temporary certs/CA for the ldap/httpd servers, pki-tomcat seems to be able to establish the connection to the LDAP but crashes at the following error. `Certificate not found: caSigningCert cert-pki-ca` Not sure what else needs to be fixed. On this copy, with the hacked temporary certs, if I run `ipa-cert-fix` I get the same error as on the original instance. If I run the `pki-server cert-fix` command that crashes, but removing `--cert sslserver`, it goes a bit further but is still blocked by `pki-tomcat` not being able to start. Thanks for all the help. -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
