My knowledge in CA is not much so I will try to follow as much as I can. The only error I don’t know if is ok to be there is the kra error mentioned in the logs.
What I did was comparing the files in the request directory before and after the upgrade with the 4 certs in stuck state and the files were the same.
I then removed the files in the directory and run the upgrade again which created new files and the new 4 certs again in stuck state.
At last, I fixed the certs and run again the upgrade.
getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221202140756':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=CA Audit,O=TNU.COM.UY
issued: 2021-11-09 15:11:14 -03
expires: 2023-10-30 15:11:14 -03
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140757':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=OCSP Subsystem,O=TNU.COM.UY
issued: 2021-11-09 15:12:03 -03
expires: 2023-10-30 15:12:03 -03
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140758':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=CA Subsystem,O=TNU.COM.UY
issued: 2021-11-09 15:11:13 -03
expires: 2023-10-30 15:11:13 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140759':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=Certificate Authority,O=TNU.COM.UY
issued: 2022-08-26 14:25:16 -03
expires: 2042-08-26 14:25:16 -03
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140800':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140801':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221202140802':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221202140803':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# ll /var/lib/certmonger/requests
total 64
-rw------- 1 root root 4598 Dec 2 11:27 20221202140756
-rw------- 1 root root 4785 Dec 2 11:27 20221202140757
-rw------- 1 root root 4798 Dec 2 11:27 20221202140758
-rw------- 1 root root 4851 Dec 2 11:27 20221202140759
-rw------- 1 root root 4983 Dec 2 11:08 20221202140800
-rw------- 1 root root 4610 Dec 2 11:08 20221202140801
-rw------- 1 root root 5373 Dec 2 11:08 20221202140802
-rw------- 1 root root 5272 Dec 2 11:08 20221202140803
# cat req_temp/requests/20221202140756
id=20221202140756
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=NSSDB
key_storage_location=/etc/pki/pki-tomcat/alias
key_token=NSS Certificate DB
key_nickname=auditSigningCert cert-pki-ca
key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt
key_perms=0
key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001
key_requested_count=0
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/pki/pki-tomcat/alias
cert_token=NSS Certificate DB
cert_nickname=auditSigningCert cert-pki-ca
cert_perms=0
cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479
cert_issuer=CN=Certificate Authority,O=TNU.COM.UY
cert_serial=14
cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974
cert_subject=CN=CA Audit,O=TNU.COM.UY
cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001
cert_not_before=20211109181114
cert_not_after=20231030181114
cert_ku=11
cert_is_ca=0
cert_ca_path_length=-1
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974
template_subject=CN=CA Audit,O=TNU.COM.UY
template_ku=11
template_is_ca=0
template_ca_path_length=-1
template_profile=caSignedLogCert
template_no_ocsp_check=0
state=MONITORING
autorenew=1
monitor=1
ca_name=IPA
submitted=19700101000000
cert=-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD
# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is unwilling to perform: Entry and attributes are managed by topology plugin.No direct modifications allowed.
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Missing or incorrect tracking request for certificates:
/etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
/etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'acmeServerCert'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for more information
# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221202175657':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175658':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175659':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175700':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175701':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175702':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221202175703':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate: type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221202175704':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# ll /var/lib/certmonger/requests
total 48
-rw------- 1 root root 1029 Dec 2 14:56 20221202175658
-rw------- 1 root root 1021 Dec 2 14:57 20221202175658-1
-rw------- 1 root root 1020 Dec 2 14:57 20221202175659
-rw------- 1 root root 1013 Dec 2 14:57 20221202175700
-rw------- 1 root root 4983 Dec 2 14:57 20221202175701
-rw------- 1 root root 4610 Dec 2 14:57 20221202175702
-rw------- 1 root root 5373 Dec 2 14:57 20221202175703
-rw------- 1 root root 5272 Dec 2 14:57 20221202175704
cat /var/lib/certmonger/requests/20221202175658
id=20221202175657
key_type=UNSPECIFIED
key_gen_type=RSA
key_size=0
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=NSSDB
key_storage_location=/etc/pki/pki-tomcat/alias
key_nickname=auditSigningCert cert-pki-ca
key_perms=0
key_requested_count=0
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/pki/pki-tomcat/alias
cert_nickname=auditSigningCert cert-pki-ca
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_is_ca=0
template_ca_path_length=0
template_profile=caSignedLogCert
template_no_ocsp_check=0
state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN
autorenew=1
monitor=1
ca_name=dogtag-ipa-ca-renew-agent
submitted=19700101000000
pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad
pre_certsave_uid=0
post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
post_certsave_uid=0
UPGRADELOG:
2022-11-30T16:03:16Z DEBUG stderr=
2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete
2022-11-30T16:03:16Z DEBUG Starting external process
2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
2022-11-30T16:03:17Z DEBUG Process finished, return code=1
2022-11-30T16:03:17Z DEBUG stdout=
2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal configuration]
2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2022-11-30T16:03:17Z DEBUG Starting external process
2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n', 'Server-Cert', '-a', '-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt']
2022-11-30T16:03:17Z DEBUG Process finished, return code=0
2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE-----
Xxxx
-----END CERTIFICATE-----
2022-11-30T16:03:17Z DEBUG stderr=
2022-11-30T16:03:17Z DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
2022-11-30T16:03:17Z DEBUG Starting external process
2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', '/etc/pki/pki-tomcat/alias/pwdfile.txt']
2022-11-30T16:03:17Z DEBUG Process finished, return code=0
2022-11-30T16:03:17Z DEBUG stdout=
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
TNU.COM.UY IPA CA CTu,Cu,Cu
TNU.COM.UY IPA CA CTu,Cu,Cu
2022-11-30T16:03:17Z DEBUG stderr=
2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for certificates:
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:Server-Cert cert-pki-ca
2022-11-30T16:03:19Z INFO /var/lib/ipa/ra-agent.pem
2022-11-30T16:03:19Z INFO /var/lib/ipa/certs/httpd.crt
2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking system certificates for CA
2022-11-30T16:03:19Z DEBUG Starting external process
2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'dbus.service']
2022-11-30T16:03:19Z DEBUG Process finished, return code=0
2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr=
2022-11-30T16:03:19Z DEBUG Starting external process
2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start', 'certmonger.service']
2022-11-30T16:03:19Z DEBUG Process finished, return code=0
2022-11-30T16:03:19Z DEBUG stdout=
2022-11-30T16:03:19Z DEBUG stderr=
2022-11-30T16:03:19Z DEBUG Starting external process
2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', 'certmonger.service']
2022-11-30T16:03:19Z DEBUG Process finished, return code=0
2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr=
2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete
2022-11-30T16:03:20Z DEBUG Starting external process
2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show', 'kra']
2022-11-30T16:03:20Z DEBUG Process finished, return code=1
2022-11-30T16:03:20Z DEBUG stdout=
2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in instance pki-tomcat.
Juan Pablo Lorier via FreeIPA-users
<
freeipa-users@lists.fedorahosted.org> writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is
the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run
the updater. I don’t know what is not right with the certs. Maybe you
can point me in a direction to look at the logs. Let me share the
getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and
after the upgrade? The requests are stored in
/var/lib/certmonger/requests. Let's focus on one certificate first,
for example:
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca'
I'd try something like that:
- save /var/lib/certmonger/requests somewhere
- try the upgrade once again
- save /var/lib/certmonger/requests again, somwhere else
- compare and see what the differences really are
Depending on the differences - and needs some creative thinking:
- reset the system to the state before the upgrade
- stop certmonger
- replace /var/lib/certmonger/requests with the second copy (from after
the upgrade)
- We need to get certmonger and ipa-server-upgrade be happy with these
requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each
certificcate I see:
2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal
configuration]
...
2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration
already up-to-date
I guess the second line for you says something like "...config
updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output:
Missing or incorrect tracking request for certificates:
/etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
/etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
Certmonger certificate renewal configuration updated
Also upthread you posted:
2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in LDAP and
enabled; skipping
2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert'
2022-11-30T16:07:49Z DEBUG request GET
https://dc2.tnu.com.uy:8443/ca/rest/account/login
2022-11-30T16:07:49Z DEBUG request body ''
2022-11-30T16:07:54Z DEBUG httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
In my upgrade log this is after updating/checing the certmonger
requests. So my guess is there's something strange with your
configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger
requests are checked/updated and one request before/after?
Jochen
--
This space is intentionally left blank.