Could it be that this error already existed since we started? Notice
the Request ID of 2016..., and the expires: 2018-10-24.
# getcert list -n ipaCert | sed blabla
Number of certificates and requests being tracked: 8.
Request ID '20161103094546':
status: CA_UNREACHABLE
ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
stuck: no
key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MYDOMAIN
subject: CN=IPA RA,O=MYDOMAIN
expires: 2018-10-24 08:45:40 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
On 25-10-18 09:56, Kees Bakker via FreeIPA-users wrote:
Hi,
We have FreeIPA running on Ubuntu 16.04 since about two years
now. For the last few day we see these messages in the log
Oct 22 17:32:14 ipasrv certmonger[1813]: 2018-10-22 17:32:14 [1813] Error 77 connecting
to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Oct 22 17:32:20 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned
3
Where should I start looking to recover from this?