On 01-10-2020 22:05, Kees Bakker via FreeIPA-users wrote:
On 01-10-2020 20:33, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
No. Only the renewal master should attempt renewing the certificates.
That conflicts with a remark from Florence in a thread with the subject "Replica not renewing IPA certificates" in January this year on this mailing list.
"Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit."
and the feedback from Roderick was
"Thank you very much! The getcert resubmit has successfully renewed all the certificates in need of renewal."
I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use it?
And, if not, how is the renewal re-triggered (assuming I have manually patched /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie problem). Restarting certmonger did not help. Restarting all of IPA did not help. -- Kees
Anyway, I decided to take a chance and just do it. Not with the ipa-getcert command but with getcert.
getcert resubmit -i 20181127141751 getcert resubmit -i 20181127141750 getcert resubmit -i 20181127141749 getcert resubmit -i 20181127141739
That worked.
okt 02 21:15:15 rotte.ghs.nl certmonger[184791]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:16:34 rotte.ghs.nl certmonger[185194]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:17:46 rotte.ghs.nl certmonger[185599]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:18:46 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[185607]: Updated certificate not available
That last line is the result of resubmitting IPA RA. I have manually copied /var/lib/ipa/ra-agent.* from the renewal master to this machine.
I think all is well now.