Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and after the upgrade? The requests are stored in /var/lib/certmonger/requests. Let's focus on one certificate first, for example: key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
I'd try something like that: - save /var/lib/certmonger/requests somewhere - try the upgrade once again - save /var/lib/certmonger/requests again, somwhere else - compare and see what the differences really are
Depending on the differences - and needs some creative thinking: - reset the system to the state before the upgrade - stop certmonger - replace /var/lib/certmonger/requests with the second copy (from after the upgrade) - We need to get certmonger and ipa-server-upgrade be happy with these requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each certificcate I see: 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal configuration] ... 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration already up-to-date
I guess the second line for you says something like "...config updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output: Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
Also upthread you posted:
2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
In my upgrade log this is after updating/checing the certmonger requests. So my guess is there's something strange with your configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger requests are checked/updated and one request before/after?
Jochen