I turned back in time, and fixed certs with resubmit command after "-c" option, and now 2 last seems fine. But the other 6 can't find CA. What if change their CA to "CA: IPA" ? screenshot with "https://ipa.dom.loc:8443/ca/agent/ca/profileReview"; page: https://i.ibb.co/bXsvYBD/image.png ----------------------------------------------------- Number of certificates and requests being tracked: 8. Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: CA_UNREACHABLE ca-error: Error 77 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 20:36:25 UTC principal name: ldap/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 20:36:33 UTC principal name: HTTP/[email protected] key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
[Freeipa-users] Re: can't enroll ubuntu 24
Dmitry Krasov via FreeIPA-users Thu, 19 Dec 2024 00:09:43 -0800
- [Freeipa-users] can't enroll ubunt... Dmitry Krasov via FreeIPA-users
- [Freeipa-users] Re: can't enr... Rob Crittenden via FreeIPA-users
- [Freeipa-users] Re: can't... Dmitry Krasov via FreeIPA-users
- [Freeipa-users] Re: c... Rob Crittenden via FreeIPA-users
- [Freeipa-users] R... Dmitry Krasov via FreeIPA-users
- [Freeipa-use... Dmitry Krasov via FreeIPA-users
- [Freeipa-users] R... Dmitry Krasov via FreeIPA-users
- [Freeipa-use... Florence Blanc-Renaud via FreeIPA-users
- [Freeipa... Dmitry Krasov via FreeIPA-users
- [Fre... Florence Blanc-Renaud via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
- [Fre... Florence Blanc-Renaud via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
- [Fre... Florence Blanc-Renaud via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
- [Fre... Florence Blanc-Renaud via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
- [Fre... Florence Blanc-Renaud via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
- [Fre... Dmitry Krasov via FreeIPA-users
