Hi Jochen and thanks for your reply.
My knowledge in CA is not much so I will try to follow as much as I can. The only error I don’t know if is ok to be there is the kra error mentioned in the logs.
What I did was comparing the files in the request directory before and after the upgrade with the 4 certs in stuck state and the files were the same. I then removed the files in the directory and run the upgrade again which created new files and the new 4 certs again in stuck state. At last, I fixed the certs and run again the upgrade.
Here are the fixed certs, dir content, etc for the last try:
getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202140756': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Audit,O=TNU.COM.UY issued: 2021-11-09 15:11:14 -03 expires: 2023-10-30 15:11:14 -03 key usage: digitalSignature,nonRepudiation profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140757': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=OCSP Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:12:03 -03 expires: 2023-10-30 15:12:03 -03 eku: id-kp-OCSPSigning profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140758': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=CA Subsystem,O=TNU.COM.UY issued: 2021-11-09 15:11:13 -03 expires: 2023-10-30 15:11:13 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140759': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=Certificate Authority,O=TNU.COM.UY issued: 2022-08-26 14:25:16 -03 expires: 2042-08-26 14:25:16 -03 key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140800': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202140801': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202140802': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202140803': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
# ll /var/lib/certmonger/requests total 64 -rw------- 1 root root 4598 Dec 2 11:27 20221202140756 -rw------- 1 root root 4785 Dec 2 11:27 20221202140757 -rw------- 1 root root 4798 Dec 2 11:27 20221202140758 -rw------- 1 root root 4851 Dec 2 11:27 20221202140759 -rw------- 1 root root 4983 Dec 2 11:08 20221202140800 -rw------- 1 root root 4610 Dec 2 11:08 20221202140801 -rw------- 1 root root 5373 Dec 2 11:08 20221202140802 -rw------- 1 root root 5272 Dec 2 11:08 20221202140803
# cat req_temp/requests/20221202140756 id=20221202140756 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_token=NSS Certificate DB key_nickname=auditSigningCert cert-pki-ca key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_token=NSS Certificate DB cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479 cert_issuer=CN=Certificate Authority,O=TNU.COM.UY cert_serial=14 cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 cert_subject=CN=CA Audit,O=TNU.COM.UY cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 cert_not_before=20211109181114 cert_not_after=20231030181114 cert_ku=11 cert_is_ca=0 cert_ca_path_length=-1 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 template_subject=CN=CA Audit,O=TNU.COM.UY template_ku=11 template_is_ca=0 template_ca_path_length=-1 template_profile=caSignedLogCert template_no_ocsp_check=0 state=MONITORING autorenew=1 monitor=1 ca_name=IPA submitted=19700101000000 cert=-----BEGIN CERTIFICATE----- MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD
# ipa-server-upgrade Upgrading IPA:. Estimated time: 1 minute 30 seconds [1/11]: stopping directory server [2/11]: saving configuration [3/11]: disabling listeners [4/11]: enabling DS global lock [5/11]: disabling Schema Compat [6/11]: starting directory server [7/11]: updating schema [8/11]: upgrading server Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed. [9/11]: stopping directory server [10/11]: restoring configuration [11/11]: starting directory server Done. Update complete Upgrading IPA services Upgrading the configuration of the IPA services Disabled p11-kit-proxy [Verifying that root certificate is published] [Migrate CRL publish directory] CRL tree already moved [Verifying that KDC configuration is using ipa-kdb backend] [Fix DS schema file syntax] Syntax already fixed [Removing RA cert from DS NSS database] RA cert already removed [Enable sidgen and extdom plugins by default] [Updating HTTPD service IPA configuration] [Updating HTTPD service IPA WSGI configuration] Nothing to do for configure_httpd_wsgi_conf [Migrating from mod_nss to mod_ssl] Already migrated to mod_ssl [Moving HTTPD service keytab to gssproxy] [Removing self-signed CA] [Removing Dogtag 9 CA] [Checking for deprecated KDC configuration files] [Checking for deprecated backups of Samba configuration files] dnssec-validation yes [Add missing CA DNS records] IPA CA DNS records already processed named user config '/etc/named/ipa-ext.conf' already exists named user config '/etc/named/ipa-options-ext.conf' already exists named user config '/etc/named/ipa-logging-ext.conf' already exists [Upgrading CA schema] CA schema update complete [Update certmonger certificate renewal configuration] Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated [Enable PKIX certificate path discovery and validation] PKIX already enabled [Authorizing RA Agent to modify profiles] [Authorizing RA Agent to manage lightweight CAs] [Ensuring Lightweight CAs container exists in Dogtag database] [Adding default OCSP URI configuration] [Disabling cert publishing] pki-tomcat configuration changed, restart pki-tomcat [Ensuring CA is using LDAPProfileSubsystem] [Migrating certificate profiles to LDAP] Migrating profile 'acmeServerCert' IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. Unexpected error - see /var/log/ipaupgrade.log for details: NetworkError: cannot connect to 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
# getcert list Number of certificates and requests being tracked: 9. Request ID '20200110015908': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:59:28 -03 expires: 2023-12-13 22:59:28 -03 principal name: krbtgt/TNU.COM.UY@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20221202175657': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSignedLogCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175658': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caOCSPCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175659': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175700': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca' CA: dogtag-ipa-ca-renew-agent issuer: subject: issued: unknown expires: unknown profile: caCACert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175701': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-01 22:56:02 -03 expires: 2023-11-21 22:56:02 -03 dns: dc2.tnu.com.uy key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caServerCert pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221202175702': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=IPA RA,O=TNU.COM.UY issued: 2021-11-09 15:12:27 -03 expires: 2023-10-30 15:12:27 -03 key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caSubsystemCert pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221202175703': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:10 -03 expires: 2023-12-13 22:53:10 -03 dns: dc2.tnu.com.uy principal name: ldap/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY track: yes auto-renew: yes Request ID '20221202175704': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=TNU.COM.UY subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY issued: 2021-12-12 22:53:26 -03 expires: 2023-12-13 22:53:26 -03 dns: dc2.tnu.com.uy principal name: HTTP/dc2.tnu.com.uy@TNU.COM.UY key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth profile: caIPAserviceCert pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
# ll /var/lib/certmonger/requests total 48 -rw------- 1 root root 1029 Dec 2 14:56 20221202175658 -rw------- 1 root root 1021 Dec 2 14:57 20221202175658-1 -rw------- 1 root root 1020 Dec 2 14:57 20221202175659 -rw------- 1 root root 1013 Dec 2 14:57 20221202175700 -rw------- 1 root root 4983 Dec 2 14:57 20221202175701 -rw------- 1 root root 4610 Dec 2 14:57 20221202175702 -rw------- 1 root root 5373 Dec 2 14:57 20221202175703 -rw------- 1 root root 5272 Dec 2 14:57 20221202175704
cat /var/lib/certmonger/requests/20221202175658 id=20221202175657 key_type=UNSPECIFIED key_gen_type=RSA key_size=0 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/pki/pki-tomcat/alias key_nickname=auditSigningCert cert-pki-ca key_perms=0 key_requested_count=0 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/pki/pki-tomcat/alias cert_nickname=auditSigningCert cert-pki-ca cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_is_ca=0 template_ca_path_length=0 template_profile=caSignedLogCert template_no_ocsp_check=0 state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN autorenew=1 monitor=1 ca_name=dogtag-ipa-ca-renew-agent submitted=19700101000000 pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad pre_certsave_uid=0 post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" post_certsave_uid=0
UPGRADELOG:
2022-11-30T16:03:16Z DEBUG stderr= 2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:16Z DEBUG Starting external process 2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=1 2022-11-30T16:03:17Z DEBUG stdout= 2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal configuration] 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE-----
Xxxx
-----END CERTIFICATE-----
2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' 2022-11-30T16:03:17Z DEBUG Starting external process 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt'] 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 2022-11-30T16:03:17Z DEBUG stdout= Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu TNU.COM.UY IPA CA CTu,Cu,Cu TNU.COM.UY IPA CA CTu,Cu,Cu
2022-11-30T16:03:17Z DEBUG stderr= 2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for certificates: 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:Server-Cert cert-pki-ca 2022-11-30T16:03:19Z INFO /var/lib/ipa/ra-agent.pem 2022-11-30T16:03:19Z INFO /var/lib/ipa/certs/httpd.crt 2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking system certificates for CA 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout= 2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Starting external process 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service'] 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr= 2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete 2022-11-30T16:03:20Z DEBUG Starting external process 2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] 2022-11-30T16:03:20Z DEBUG Process finished, return code=1 2022-11-30T16:03:20Z DEBUG stdout= 2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
El 1 dic. 2022, a las 20:14, Jochen Kellner jochen@jochen.org escribió:
Juan Pablo Lorier via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run the updater. I don’t know what is not right with the certs. Maybe you can point me in a direction to look at the logs. Let me share the getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and after the upgrade? The requests are stored in /var/lib/certmonger/requests. Let's focus on one certificate first, for example: key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
I'd try something like that:
- save /var/lib/certmonger/requests somewhere
- try the upgrade once again
- save /var/lib/certmonger/requests again, somwhere else
- compare and see what the differences really are
Depending on the differences - and needs some creative thinking:
- reset the system to the state before the upgrade
- stop certmonger
- replace /var/lib/certmonger/requests with the second copy (from after
the upgrade)
- We need to get certmonger and ipa-server-upgrade be happy with these
requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each certificcate I see: 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal configuration] ... 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration already up-to-date
I guess the second line for you says something like "...config updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output: Missing or incorrect tracking request for certificates: /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca Certmonger certificate renewal configuration updated
Also upthread you posted:
2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and enabled; skipping 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' 2022-11-30T16:07:49Z DEBUG request GET https://dc2.tnu.com.uy:8443/ca/rest/account/login 2022-11-30T16:07:49Z DEBUG request body '' 2022-11-30T16:07:54Z DEBUG httplib request failed: Traceback (most recent call last): File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
In my upgrade log this is after updating/checing the certmonger requests. So my guess is there's something strange with your configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger requests are checked/updated and one request before/after?
Jochen
-- This space is intentionally left blank.