Kees Bakker via FreeIPA-users wrote:
> Could it be that this error already existed since we started? Notice
> the Request ID of 2016..., and the expires: 2018-10-24.
>
> # getcert list -n ipaCert | sed blabla
> Number of certificates and requests being tracked: 8.
> Request ID '20161103094546':
> status: CA_UNREACHABLE
> ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
> stuck: no
> key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
> certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=MYDOMAIN
> subject: CN=IPA RA,O=MYDOMAIN
> expires: 2018-10-24 08:45:40 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
> In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
The problem is your certs expired yesterday so connections won't work
(the code and message don't come from within certmonger).
certmonger _should_ have renewed them. Try killing ntpd, going back a
few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and
see what happens.
Easy for you to say. You know what you're doing :-)
For me it's all magic.
Anyway, I'll try it. I'm just scared to set the clock back, because there may
be clients in the network that use this server as a NTP server.
Another thing I want to mention is that the error started showing up two days
ago, on Oct 22, while the expiration is today, Oct 24.
--
Kees