10:19 a.m.
giri f via FreeIPA-users wrote:
of certificates and requests being tracked: 9. est ID
20200416082225':
status: CA UNREACHABLE
ca-error: Error 35 connecting to
https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview:
SS connect error.
stuck: no
key pair storage: type-FILE, location=' /var/lib/ipa/ra-agent.key' certificate:
type-FILE, location=' /var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=IPA RA, 0-ipa360. ORG
expires: 2024-02-25 18:27:39 UTC
key usage: digitalsignature, keyEncipherment, dataEncipherment eku: id-kp-serverAuth,
id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save
command: /usI/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes
Request ID 20200416082243':
status: CA UNREACHABLE
ca-error: Error 35 connecting to
https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview:
SSL connect error.
stuck: no
key pair storage: type-NSSDB, location=' /etc/pki/pki-tomcat/alias',
nickname='auditSigningCert cert-pki-ca', token-'OSS Certificate DB', pin s
certificate: type=NSSDB,
location='/etc/pki/pki-toncat/alias',nickname='auditSigningCert
cert-pki-ca', token= 'NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=CA Audit, 0-ipa360. ORG
expires: 2024-02-25 18:27:49 UTC
key usage: digitalSignature, nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
I
post-save command: /us/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track:yes
auto-renew: yes
Request
ID 20200416082244*: status: CA UNREACHABLE
ca-error: Error 35 connecting to
https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview:
SSI connect error.
stuck: no
key pair storage: type-NSSDB, location='/etc/pki/pki-tomcat/alias',
nickname-'ocspsigningCert cert-pki-ca', token= 'NSS
Certificate DB', pin
set
certificate: type-NSSDB, location»'/etc/pki/pki-tomcat/alias',
nickname='ocspsigningert cert-pki-ca', token= 'NSS Certificate
DB"
CA: dogtag-ipa-ca-renew-agent
issuer: CN-Certificate Authority, 0-ipa360. ORG subject: CN-OCSP Subsystem, 0-ipa360. ORG
expires: 2024-02-25 18:27:19 UTC
eku: id-kp-ocspsigning
pre-save command: /us/Libexec/ipa/certmonger/stop_pkicad
post-save command: /usT/libexec/jpa/certmonger/renew_ca_cert "ocspsigningcert
cert-pki-ca"
track: yes auto-renew: yes
Request ID 20200416082245'â‚˝
So you'll need to back in time to February of this year. Restart IPA (be
sure ntpd isn't restarted) and ensure things are basically functioning.
The restart certmonger and it should renew the certificates assuming
this server is the renewal master (ipa config-show will tell you).
Once the certificates are successfully renewed, move forward in time,
restart IPA and things should continue to work.
rob