giri f via FreeIPA-users wrote:
of certificates and requests being tracked: 9. est ID 20200416082225': status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SS connect error. stuck: no key pair storage: type-FILE, location=' /var/lib/ipa/ra-agent.key' certificate: type-FILE, location=' /var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=IPA RA, 0-ipa360. ORG expires: 2024-02-25 18:27:39 UTC key usage: digitalsignature, keyEncipherment, dataEncipherment eku: id-kp-serverAuth, id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usI/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID 20200416082243': status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type-NSSDB, location=' /etc/pki/pki-tomcat/alias', nickname='auditSigningCert cert-pki-ca', token-'OSS Certificate DB', pin s certificate: type=NSSDB, location='/etc/pki/pki-toncat/alias',nickname='auditSigningCert cert-pki-ca', token= 'NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=CA Audit, 0-ipa360. ORG expires: 2024-02-25 18:27:49 UTC key usage: digitalSignature, nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad I post-save command: /us/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track:yes auto-renew: yes Request ID 20200416082244*: status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SSI connect error. stuck: no key pair storage: type-NSSDB, location='/etc/pki/pki-tomcat/alias', nickname-'ocspsigningCert cert-pki-ca', token= 'NSS Certificate DB', pin set certificate: type-NSSDB, location»'/etc/pki/pki-tomcat/alias', nickname='ocspsigningert cert-pki-ca', token= 'NSS Certificate DB" CA: dogtag-ipa-ca-renew-agent issuer: CN-Certificate Authority, 0-ipa360. ORG subject: CN-OCSP Subsystem, 0-ipa360. ORG expires: 2024-02-25 18:27:19 UTC eku: id-kp-ocspsigning pre-save command: /us/Libexec/ipa/certmonger/stop_pkicad post-save command: /usT/libexec/jpa/certmonger/renew_ca_cert "ocspsigningcert cert-pki-ca" track: yes auto-renew: yes Request ID 20200416082245'₽
So you'll need to back in time to February of this year. Restart IPA (be sure ntpd isn't restarted) and ensure things are basically functioning.
The restart certmonger and it should renew the certificates assuming this server is the renewal master (ipa config-show will tell you).
Once the certificates are successfully renewed, move forward in time, restart IPA and things should continue to work. rob