Ok, I fixed the certs following other ticket but using the pin file pointed in the link you sent me.
Result:

ipa-getcert start-tracking -i 20221201163932 -p /etc/pki/pki-tomcat/alias/pwdfile.txt

But it seems that the spa-server-upgrade brakes them again:

named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Missing or incorrect tracking request for certificates:
  /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
  /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
  /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
  /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'acmeServerCert'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information





Request ID '20221201164512':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer: 
subject: 
issued: unknown
expires: unknown
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164513':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer: 
subject: 
issued: unknown
expires: unknown
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164514':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer: 
subject: 
issued: unknown
expires: unknown
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221201164515':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer: 
subject: 
issued: unknown
expires: unknown
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes

El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier@gmail.com> escribió:

Thanks Jochen,

I tried following the post but the getcert command is complaining about the syntax and I can’t find why. According to man page, the parameters are right.

I also tried to remove the certs and run spa-server-upgrade but it generates new certs and fails at the same point (new certs are also pending pin information)
It looks like I will need a way to unstuck those certs for the upgrade to continue.
All suggestions are Wellcome :-)
Regards

El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen@jochen.org> escribió:


Hello Juan,

Juan Pablo Lorier via FreeIPA-users
<freeipa-users@lists.fedorahosted.org> writes:

You are right, there are several certificates stuck in dc2:

getcert list
...
Request ID '20221130160320':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN

My google-fu point to that comment in an issue:
https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-659962943
That has the commands to fix the issue.

Another possibility should be to stop-tracking the certificates and run
ipa-server-upgrade which should restore the trackings. Right?

Jochen

--
This space is intentionally left blank.