Schrier, William (Contractor) via FreeIPA-users wrote: > > > You are probably > hitting https://pagure.io/freeipa/issue/8600 ipa-cert-fix unable to fix > certs no named 'Server-cert' > > Unfortunately it was not fixed in RHEL 7.9. > > > > But you can workaround it. ipa-cert-fix is essentially a wrapper calling > "pki-server cert-fix" and doing a few additional steps for http and ldap > server certs. Since your http and ldap server certs are not issued by > PKI, and are still valid, you can directly use pki-server cert-fix (you > need to have the directory server running): > > pki-server cert-fix --ldapi-socket /run/slapd-YOUR-REALM.socket > --agent-uid ipara > > ipactl restart > > > > I strongly advise you to backup the NSS database > /etc/pki/pki-tomcat/alias first. > > flo > > > > The “pki-server cert-fix” command ran successful (at least as far as I > can tell)… > > > > pki-tomcat now starts with an ipctl restart. However, when I did the > “getcert list” it was still showing all of the same things as before… > mostly expired certs with just the one new one. I decided to try > restarting certmonger… and I think that is getting us a little closer… > Now only two of the certs are showing the old date: > > > > # getcert list | egrep "Request ID|status:|CA:|expires:|certificate:" > > Request ID '20210201172746': > > status: CA_UNREACHABLE > > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2025-05-31 15:41:32 UTC > > Request ID '20210201172819': > > status: CA_UNREACHABLE > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2027-06-09 13:26:26 UTC > > Request ID '20210201172820': > > status: CA_UNREACHABLE > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2027-06-09 13:26:26 UTC > > Request ID '20210201172821': > > status: CA_UNREACHABLE > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2027-06-09 13:26:26 UTC > > Request ID '20210201172822': > > status: MONITORING > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2027-06-09 13:26:26 UTC > > Request ID '20210201172823': > > status: CA_UNREACHABLE > > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS FIPS 140-2 Certificate DB' > > CA: dogtag-ipa-ca-renew-agent > > expires: 2027-06-09 13:26:26 UTC > > Request ID '20210201172924': > > status: CA_UNREACHABLE > > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > > CA: IPA > > expires: 2025-05-31 15:41:32 UTC > > > > And I also noticed that certmonger is complaining about some stuff as well… > > > > # systemctl status certmonger -l > > ● certmonger.service - Certificate monitoring and PKI enrollment > > Loaded: loaded (/usr/lib/systemd/system/certmonger.service; enabled; > vendor preset: disabled) > > Active: active (running) since Mon 2025-06-23 10:09:48 EDT; 4min 58s ago > > Main PID: 28710 (certmonger) > > Memory: 1.8M > > CGroup: /system.slice/certmonger.service > > └─28710 /usr/sbin/certmonger -S -p /var/run/certmonger.pid -n > > > > Jun 23 10:10:38 [HOSTNAME] certmonger[28710]: 2025-06-23 10:10:38 > [28710] Error 58 connecting to > https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem with the > local SSL certificate. > > Jun 23 10:10:47 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28806]: > Forwarding request to dogtag-ipa-renew-agent > > Jun 23 10:10:48 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28806]: > dogtag-ipa-renew-agent returned 3 > > Jun 23 10:10:48 [HOSTNAME] certmonger[28710]: 2025-06-23 10:10:48 > [28710] Error 58 connecting to > https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem with the > local SSL certificate. > > Jun 23 10:10:58 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28807]: > Forwarding request to dogtag-ipa-renew-agent > > Jun 23 10:10:58 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28807]: > dogtag-ipa-renew-agent returned 3 > > Jun 23 10:10:58 [HOSTNAME] certmonger[28710]: 2025-06-23 10:10:58 > [28710] Error 58 connecting to > https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem with the > local SSL certificate. > > Jun 23 10:11:08 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28803]: > Forwarding request to dogtag-ipa-renew-agent > > Jun 23 10:11:08 [HOSTNAME] dogtag-ipa-ca-renew-agent-submit[28803]: > dogtag-ipa-renew-agent returned 3 > > Jun 23 10:11:08 [HOSTNAME] certmonger[28710]: 2025-06-23 10:11:08 > [28710] Error 58 connecting to > https://[HOSTNAME]:8443/ca/agent/ca/profileReview: Problem with the > local SSL certificate. > > > > > > I tried a couple rounds of restarting both FreeIPA and certmonger to see > if they were in a kind of stuck pattern with each other, but no luck. I > even reran the suggested “pki-server cert-fix” a second time, but seems > it made no difference. > > > > And despite pki-tomcat starting, we are still seeing the original > problem when we try to login to the FreeIPA webUI – it gives the “Login > failed due to an unknown reason.” error and will not login.
The ra-agent certificate is used to authenticate to the CA in order to issue certificates. If it is expired it will fail. So it can't renew itself or the PKINIT certificate. Perhaps try ipa-cert-fix again. rob -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
