On 1/14/20 11:41 PM, Ferdinand Babas via FreeIPA-users wrote:
Agreed, any date
between June 1 and June 4 should be ok.
ipaCert is the most important cert to renew and should
be handled first.
The man page for getcert-list explains this error as:
NEED_CSR_GEN_TOKEN
The service was unable to find the token in which the
key pair
is supposed to be stored.
So I would check if /etc/httpd/alias has the right permissions, if
/etc/httpd/alias/pwdfile.txt contains the password for /etc/httpd/alias
and has the right permissions.
On a RHEL 7.2 system I can see:
[root ~]# ls -ld /etc/httpd/alias/
drwxr-xr-x. 2 root root 4096 Jan 15 10:48 /etc/httpd/alias/
[root ~]# ls -l /etc/httpd/alias/
total 188
-r--r--r--. 1 root root 1427 Jan 15 10:48 cacert.asc
-r--r--r--. 1 root root 1427 Jan 13 14:19 cacert.asc.orig
-rw-rw----. 1 root apache 65536 Jan 15 10:49 cert8.db
-rw-rw----. 1 root apache 65536 Jan 13 14:27 cert8.db.orig
-rw-------. 1 root root 5872 Nov 16 2018 install.log
-rw-rw----. 1 root apache 16384 Jan 15 10:49 key3.db
-rw-rw----. 1 root apache 16384 Jan 13 14:27 key3.db.orig
-r--r-----. 1 root apache 3481 Jan 15 10:47 kra-agent.pem
lrwxrwxrwx. 1 root root 33 Nov 16 2018 libnssckbi.so ->
../../..//usr/lib64/libnssckbi.so
-rw-rw----. 1 root apache 20 Jan 15 10:47 pwdfile.txt
-rw-rw----. 1 root apache 20 Jan 13 14:18 pwdfile.txt.orig
-rw-rw----. 1 root apache 16384 Jan 15 10:47 secmod.db
-rw-rw----. 1 root apache 16384 Jan 13 14:18 secmod.db.orig
And to check the password:
[root@ ~]# certutil -K -d /etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
< 0> rsa 1b212c867ebde61fdc295ecd63ef690cd93fc783 NSS Certificate
DB:ipaCert
< 1> rsa da7a2b61ed951d1cfff1309534a3232258da9487 NSS Certificate
DB:Signing-Cert
< 2> rsa e5fdd7ec9d8daa97566695ac562fb1697a811401 NSS Certificate
DB:Server-Cert
(if the password file is wrong, you will see: Incorrect password/PIN
entered)
flo
Hi flo,
Everything looks okay as far as permissions but when I run the certutil -K -d
/etc/httpd/alias/ -f /etc/httpd/alias/pwdfile.txt command I get the following:
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key
and Certificate Services"
< 0> rsa 0fa7d5a5d032d3d9bb0845425b4ce4c3588c5eba NSS Certificate
DB:Server-Cert
ipaCert is missing from the output, but it is there when I run certutil -L -d
/etc/httpd/alias/:
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
Server-Cert u,u,u
LOCAL IPA CA CT,C,C
ipaCert ,,
It is missing the trust attributes though? How would I resolve that?
Thanks,
Ferdinand