[Freeipa-users] Re: can't enroll ubuntu 24

19 Dec 2024


      Hi,
On Thu, Dec 19, 2024 at 9:09 AM Dmitry Krasov via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
...
I turned back in time, and fixed certs with resubmit command after "-c"
option, and now 2 last seems fine. But the other 6 can't find CA.
What if change their CA to "CA: IPA" ?
Please don't. The certificates that are tracked with
dogtag-ipa-ca-renew-agent are shared certificates (the same cert is
installed on all the replicas and the CA helper is smart enough to know if
he needs to request a new certificate or download the new one). If you
switch the the CA:IPA, your topology looses this logic.
Do you have any strong reason for using the method go-back-in-time rather
than ipa-cert-fix command? The drawback is that you need to carefully
select your date in the past: the certificates must not be expired yet but
also have to *be already valid* (LDAP and HTTP certs have been renewed,
they will expire 2026-10-18, but what is their valid-from date? If you go
back in the past to a date before they are valid, they are unusable).
flo
screenshot with "https://ipa.dom.loc:8443/ca/agent/ca/profileReview" page:
...
https://i.ibb.co/bXsvYBD/image.png
Number of certificates and requests being tracked: 8.
Request ID '20221130052539':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=CA Audit,O=DOM.LOC
        expires: 2024-11-19 05:25:15 UTC
        key usage: digitalSignature,nonRepudiation
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221130052540':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=OCSP Subsystem,O=DOM.LOC
        expires: 2024-11-19 05:25:14 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        eku: id-kp-OCSPSigning
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221130052541':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=CA Subsystem,O=DOM.LOC
        expires: 2024-11-19 05:25:14 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221130052542':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=Certificate Authority,O=DOM.LOC
        expires: 2042-11-30 05:25:14 UTC
        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221130052543':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=IPA RA,O=DOM.LOC
        expires: 2024-11-19 05:25:36 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
        post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
        track: yes
        auto-renew: yes
Request ID '20221130052544':
        status: CA_UNREACHABLE
        ca-error: Error 77 connecting to
https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
        certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
        CA: dogtag-ipa-ca-renew-agent
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=ipa.dom.loc,O=DOM.LOC
        expires: 2024-11-19 05:25:14 UTC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth
        pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
        post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
        track: yes
        auto-renew: yes
Request ID '20221130052605':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=ipa.dom.loc,O=DOM.LOC
        expires: 2026-10-18 20:36:25 UTC
        principal name: ldap/ipa.dom.loc@DOM.LOC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC
        track: yes
        auto-renew: yes
Request ID '20221130052625':
        status: MONITORING
        stuck: no
        key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
        certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DOM.LOC
        subject: CN=ipa.dom.loc,O=DOM.LOC
        expires: 2026-10-18 20:36:33 UTC
        principal name: HTTP/ipa.dom.loc@DOM.LOC
        key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/lib/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: can't enroll ubuntu 24

https://i.ibb.co/bXsvYBD/image.png