On 01-10-2020 22:05, Kees Bakker via FreeIPA-users wrote:
On 01-10-2020 20:33, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Can I safely do the following?
>>
>> ipa-getcert resubmit -i 20181127141739
>> ipa-getcert resubmit -i 20181127141749
>> ipa-getcert resubmit -i 20181127141750
>> ipa-getcert resubmit -i 20181127141751
> No. Only the renewal master should attempt renewing the certificates.
That conflicts with a remark from Florence in a thread with the subject
"Replica not renewing IPA certificates" in January this year on this mailing
list.
"Since you are hitting the issue 8164, you can manually force the renewal
on the replica (once the CA renewal master has actually renewed the
cert) with getcert resubmit."
and the feedback from Roderick was
"Thank you very much! The getcert resubmit has successfully renewed all
the certificates in need of renewal."
I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use
it?
And, if not, how is the renewal re-triggered (assuming I have manually patched
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie
problem). Restarting certmonger did not help. Restarting all of IPA did not help.
-- Kees
Anyway, I decided to take a chance and just do it. Not with the ipa-getcert
command but with getcert.
getcert resubmit -i 20181127141751
getcert resubmit -i 20181127141750
getcert resubmit -i 20181127141749
getcert resubmit -i 20181127141739
That worked.
okt 02 21:15:15 rotte.ghs.nl certmonger[184791]: Certificate named "subsystemCert
cert-pki-ca" in token "NSS Certificate DB" in database
"/etc/pki/pki-tomcat/alias" issued by CA and saved.
okt 02 21:16:34 rotte.ghs.nl certmonger[185194]: Certificate named "ocspSigningCert
cert-pki-ca" in token "NSS Certificate DB" in database
"/etc/pki/pki-tomcat/alias" issued by CA and saved.
okt 02 21:17:46 rotte.ghs.nl certmonger[185599]: Certificate named "auditSigningCert
cert-pki-ca" in token "NSS Certificate DB" in database
"/etc/pki/pki-tomcat/alias" issued by CA and saved.
okt 02 21:18:46 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[185607]: Updated certificate
not available
That last line is the result of resubmitting IPA RA.
I have manually copied /var/lib/ipa/ra-agent.* from the renewal master to this machine.
I think all is well now.
--
Kees