Hi Rob,
I do manually add the pin and they get in MONITORING state, but the IPA server is not consistent because the upgrade never completes. If I try to run the upgrade, the process renews the certs and they go back to stuck state. Look at the upgrade output I sent and then you can see that those certs get into stuck because of the missing pin:
[Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
El 1 dic. 2022, a las 13:52, Rob Crittenden rcritten@redhat.com escribió:
Juan Pablo Lorier wrote:
Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me. Result:
ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt
I don't know what request 20221201163932 is but you need to add the pin file to all of the CA-related trackers.
rob
But it seems that the spa-server-upgrade brakes them again:
named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
Request ID '20221201164512': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164513': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164514': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221201164515': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes
El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier@gmail.com <mailto:jplorier@gmail.com mailto:jplorier@gmail.com>> escribió:
Thanks Jochen,
I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.
I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information) It looks like I will need a way to unstuck those certs for the upgrade to continue. All suggestions are Wellcome :-) Regards
El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen@jochen.org mailto:jochen@jochen.org <mailto:jochen@jochen.org mailto:jochen@jochen.org>> escribió:
Hello Juan,
Juan Pablo Lorier via FreeIPA-users <freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org <mailto:freeipa-users@lists.fedorahosted.org mailto:freeipa-users@lists.fedorahosted.org>> writes:
You are right, there are several certificates stuck in dc2:
getcert list
...
Request ID '20221130160320': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
My google-fu point to that comment in an issue: https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65996... That has the commands to fix the issue.
Another possibility should be to stop-tracking the certificates and run ipa-server-upgrade which should restore the trackings. Right?
Jochen
-- This space is intentionally left blank.