new freeipa(4.3) client ipa-replica-install unsuccessful root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# cat 20220607091036 id=20220607091036 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM key_token=NSS Certificate DB key_nickname=Server-Cert key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_generated_date=20220607091036 key_requested_count=1 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM cert_nickname=Server-Cert cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com@YYDEVOPS.COM template_is_ca=0 template_ca_path_length=0 template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0 iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8 smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7 SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN 0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq 9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFcD5gMY3clbeTv7tIwuH1K27R0cSiJZKAznMCuB2MhMi+CWRlvCYfS8nyqwziOnYRG3SZa7MLg== scep_tx=23408524965258346450630507198266950287255212778687783181270846979351580813985 minicert=MIIDDjCCAfagAwIBAAIgM8DBb8vrkCLtVakYwBoCDvE3QB7kwQiBV5zAfRCoqqEwDQYJKoZIhvcNAQELBQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTAiGA8yMDIyMDYwNzAwMDAwMFoYDzIxMjIwNjA3MDAwMDAwWjA5MTcwNQYDVQQDEy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq65hMs4nUJiuc4Mw9FCG9x9yW4DEMDTtuozz2aXRdRX0sHskCcDUW3SIWHDOSL0WnV7h0GJiyFKR1pJQW9eJX9CXVPXRht0FCdz2IGSYQvN6/9Rf0SSuQJiFV0MMI3xZj0nLhFYw3wwc4SvrTnTKUng5hzAJTnhoeUt19vVy8gXQVn7FCeNe23yyaq+MRxPIKOuB7jmhP3VoAJWFw8Hro1gzx/MGkVgKvA2FgRCX50/NUCunNwmzUKdMjL7WRq0BpA5Nca/n+70RuWvQoZdeJnxUqhp8KcXvIONJ4gDPzFi9dISX3/KeyHtKOaEhtseVc6DFmUPxx5gWkc0BxEtnXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQSS8v0lkknnYfvPhfBZjyzb9RiszlRVxIj1aZQxum2O3EXI49yhBytL5cz39NjdDMmcn0DS1OlU+y4270Wfb3KiNDvuDfoY7hvahOLQNU+hKAVx13PU7uGQU+3SjOR+FtR2e9gX7QQ3aRjoH+dmm3ys4sS9CN7gnnzw9uVC59+g0snz9iFMV+gFVl/16PSX4F+zJqxna84RIIbBTqfQ00pkB230LmbWKuLxh8CCJHWi9x61a4ZWU25hHMZgP6YoWv3rrrzdZvDscb9Qffp7QPV+II tzeyGhVKRwZ1tlwMyzrTHAMYixDNS5Ejhr5P/NjSnpDAul/Kw01NKoIe4OI state=CA_UNREACHABLE autorenew=1 monitor=1 ca_name=IPA submitted=20220607091038 ca_error=Server at https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:443/ca/eeca/ca/...': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# ^C root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# less 20220607091036 id=20220607091036 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM key_token=NSS Certificate DB key_nickname=Server-Cert key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_generated_date=20220607091036 key_requested_count=1 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM cert_nickname=Server-Cert cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com@YYDEVOPS.COM template_is_ca=0 template_ca_path_length=0 template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0 iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8 smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7 SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN 0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq 9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFc...skipping... key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_generated_date=20220607091036 key_requested_count=1 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM cert_nickname=Server-Cert cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com@YYDEVOPS.COM template_is_ca=0 template_ca_path_length=0 template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0 iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8 smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7 SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN 0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq 9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFcD5gMY3clbeTv7tIwuH1K27R0cSiJZKAznMCuB2MhMi+CWRlvCYfS8nyqwziOnYRG3SZa7MLg== scep_tx=23408524965258346450630507198266950287255212778687783181270846979351580813985 minicert=MIIDDjCCAfagAwIBAAIgM8DBb8vrkCLtVakYwBoCDvE3QB7kwQiBV5zAfRCoqqEwDQYJKoZIhvcNAQELBQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTAiGA8yMDIyMDYwNzAwMDAwMFoYDzIxMjIwNjA3MDAwMDAwWjA5MTcwNQYDVQQDEy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq65hMs4nUJiuc4Mw9FCG9x9yW4DEMDTtuozz2aXRdRX0sHskCcDUW3SIWHDOSL0WnV7h0GJiyFKR1pJQW9eJX9CXVPXRht0FCdz2IGSYQvN6/9Rf0SSuQJiFV0MMI3xZj0nLhFYw3wwc4SvrTnTKUng5hzAJTnhoeUt19vVy8gXQVn7FCeNe23yyaq+MRxPIKOuB7jmhP3VoAJWFw8Hro1gzx/MGkVgKvA2FgRCX50/NUCunNwmzUKdMjL7WRq0BpA5Nca/n+70RuWvQoZdeJnxUqhp8KcXvIONJ4gDPzFi9dISX3/KeyHtKOaEhtseVc6DFmUPxx5gWkc0BxEtnXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQSS8v0lkknnYfvPhfBZjyzb9RiszlRVxIj1aZQxum2O3EXI49yhBytL5cz39NjdDMmcn0DS1OlU+y4270Wfb3KiNDvuDfoY7hvahOLQNU+hKAVx13PU7uGQU+3SjOR+FtR2e9gX7QQ3aRjoH+dmm3ys4sS9CN7gnnzw9uVC59+g0snz9iFMV+gFVl/16PSX4F+zJqxna84RIIbBTqfQ00pkB230LmbWKuLxh8CCJHWi9x61a4ZWU25hHMZgP6YoWv3rrrzdZvDscb9Qffp7QPV+II tzeyGhVKRwZ1tlwMyzrTHAMYixDNS5Ejhr5P/NjSnpDAul/Kw01NKoIe4OI state=CA_UNREACHABLE autorenew=1 monitor=1 ca_name=IPA submitted=20220607091038 ca_error=Server at https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:443/ca/eeca/ca/...': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
Tested several servers are the same, should be ca expired problem What do I need to do to replicate this situation?
rui liang via FreeIPA-users wrote:
new freeipa(4.3) client ipa-replica-install unsuccessful root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# cat 20220607091036 id=20220607091036 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM key_token=NSS Certificate DB key_nickname=Server-Cert key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_generated_date=20220607091036 key_requested_count=1 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM cert_nickname=Server-Cert cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com@YYDEVOPS.COM template_is_ca=0 template_ca_path_length=0 template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0 iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8 smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7 SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN 0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq 9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFcD5gMY3clbeTv7tIwuH1K27R0cSiJZKAznMCuB2MhMi+CWRlvCYfS8nyqwziOnYRG3SZa7MLg== scep_tx=23408524965258346450630507198266950287255212778687783181270846979351580813985 minicert=MIIDDjCCAfagAwIBAAIgM8DBb8vrkCLtVakYwBoCDvE3QB7kwQiBV5zAfRCoqqEwDQYJKoZIhvcNAQELBQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTAiGA8yMDIyMDYwNzAwMDAwMFoYDzIxMjIwNjA3MDAwMDAwWjA5MTcwNQYDVQQDEy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq65hMs4nUJiuc4Mw9FCG9x9yW4DEMDTtuozz2aXRdRX0sHskCcDUW3SIWHDOSL0WnV7h0GJiyFKR1pJQW9eJX9CXVPXRht0FCdz2IGSYQvN6/9Rf0SSuQJiFV0MMI3xZj0nLhFYw3wwc4SvrTnTKUng5hzAJTnhoeUt19vVy8gXQVn7FCeNe23yyaq+MRxPIKOuB7jmhP3VoAJWFw8Hro1gzx/MGkVgKvA2FgRCX50/NUCunNwmzUKdMjL7WRq0BpA5Nca/n+70RuWvQoZdeJnxUqhp8KcXvIONJ4gDPzFi9dISX3/KeyHtKOaEhtseVc6DFmUPxx5gWkc0BxEtnXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQSS8v0lkknnYfvPhfBZjyzb9RiszlRVxIj1aZQxum2O3EXI49yhBytL5cz39NjdDMmcn0DS1OlU+y4270Wfb3KiNDvuDfoY7hvahOLQNU+hKAVx13PU7uGQU+3SjOR+FtR2e9gX7QQ3aRjoH+dmm3ys4sS9CN7gnnzw9uVC59+g0snz9iFMV+gFVl/16PSX4F+zJqxna84RIIbBTqfQ00pkB230LmbWKuLxh8CCJHWi9x61a4ZWU25hHMZgP6YoWv3rrrzdZvDscb9Qffp7QPV+II tzeyGhVKRwZ1tlwMyzrTHAMYixDNS5Ejhr5P/NjSnpDAul/Kw01NKoIe4OI state=CA_UNREACHABLE autorenew=1 monitor=1 ca_name=IPA submitted=20220607091038 ca_error=Server at https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:443/ca/eeca/ca/...': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# ^C root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# root@fs-hiido-ipa-ca-64-252:/var/lib/certmonger/requests# less 20220607091036 id=20220607091036 key_type=RSA key_gen_type=RSA key_size=2048 key_gen_size=2048 key_next_type=UNSPECIFIED key_next_gen_type=RSA key_next_size=0 key_next_gen_size=2048 key_preserve=0 key_storage_type=NSSDB key_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM key_token=NSS Certificate DB key_nickname=Server-Cert key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_generated_date=20220607091036 key_requested_count=1 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM cert_nickname=Server-Cert cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com@YYDEVOPS.COM template_is_ca=0 template_ca_path_length=0 template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0 iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8 smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7 SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN 0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq 9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFc...skipping... key_pin_file=/etc/dirsrv/slapd-YYDEVOPS-COM//pwdfile.txt key_perms=0 key_pubkey=3082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ABAE6132CE275098AE738330F45086F71F725B80C43034EDBA8CF3D9A5D17515F4B07B2409C0D45B74885870CE48BD169D5EE1D06262C85291D692505BD7895FD09754F5D186DD0509DCF620649842F37AFFD45FD124AE40988557430C237C598F49CB845630DF0C1CE12BEB4E74CA5278398730094E7868794B75F6F572F205D0567EC509E35EDB7CB26AAF8C4713C828EB81EE39A13F7568009585C3C1EBA35833C7F30691580ABC0D85811097E74FCD502BA73709B350A74C8CBED646AD01A40E4D71AFE7FBBD11B96BD0A1975E267C54AA1A7C29C5EF20E349E200CFCC58BD748497DFF29EC87B4A39A121B6C79573A0C59943F1C7981691CD01C44B675D0203010001 key_generated_date=20220607091036 key_requested_count=1 key_issued_count=0 cert_storage_type=NSSDB cert_storage_location=/etc/dirsrv/slapd-YYDEVOPS-COM cert_nickname=Server-Cert cert_perms=0 cert_is_ca=0 cert_ca_path_length=0 cert_no_ocsp_check=0 last_need_notify_check=19700101000000 last_need_enroll_check=19700101000000 template_subject=fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com template_principal=ldap/fs-hiido-ipa-ca-64-252.hiido.host.yydevops.com@YYDEVOPS.COM template_is_ca=0 template_ca_path_length=0 template_no_ocsp_check=0 csr=-----BEGIN NEW CERTIFICATE REQUEST----- MIIDsDCCApgCAQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5o aWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC AQoCggEBAKuuYTLOJ1CYrnODMPRQhvcfcluAxDA07bqM89ml0XUV9LB7JAnA1Ft0 iFhwzki9Fp1e4dBiYshSkdaSUFvXiV/Ql1T10YbdBQnc9iBkmELzev/UX9EkrkCY hVdDDCN8WY9Jy4RWMN8MHOEr6050ylJ4OYcwCU54aHlLdfb1cvIF0FZ+xQnjXtt8 smqvjEcTyCjrge45oT91aACVhcPB66NYM8fzBpFYCrwNhYEQl+dPzVArpzcJs1Cn TIy+1katAaQOTXGv5/u9Eblr0KGXXiZ8VKoafCnF7yDjSeIAz8xYvXSEl9/ynsh7 SjmhIbbHlXOgxZlD8ceYFpHNAcRLZ10CAwEAAaCCATAwJQYJKoZIhvcNAQkUMRge FgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggEFBgkqhkiG9w0BCQ4xgfcwgfQwgcEG A1UdEQEBAASBtjCBs6BQBgorBgEEAYI3FAIDoEIMQGxkYXAvZnMtaGlpZG8taXBh LWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbUBZWURFVk9QUy5DT02g XwYGKwYBBQICoFUwU6AOGwxZWURFVk9QUy5DT02hQTA/oAMCAQGhODA2GwRsZGFw Gy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29t MAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFFmNcihY2hfR8EtJHZbaKlJPQAvN MA0GCSqGSIb3DQEBCwUAA4IBAQBkxhUjn13xm66r2vBWLjUu74PeuhTvmChkLxQN 0XWrf8OJ6rl6Lcf4RQYQe6E4xJ6yyVGdM8kPaFQ7W7SYli95r5tVn4LpENYCTewb q/tqWWLjcgRdk/hBrSknyCBEY1Idf0krbIEJK2vGqbi5ajFZhjlTQ2uiec0k7Wls EpVFcGkFpgsFBuKKeO3H+Xj+2+w29jnkwXrmu6N4FKh+ikFDQBzy2pO6u/+pIvqq 9QTpx517GWuLwze4vcIa6xtBAuiq40+A00tWi5exmYCNi7rxpvI56zAvtvN9vMbP gqfDTBOhPx/4f3WFqAmfWZcGWSmw+xOQzhqPhMxj5Q5cWDsS -----END NEW CERTIFICATE REQUEST----- spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCrrmEyzidQmK5zgzD0UIb3H3JbgMQwNO26jPPZpdF1FfSweyQJwNRbdIhYcM5IvRadXuHQYmLIUpHWklBb14lf0JdU9dGG3QUJ3PYgZJhC83r/1F/RJK5AmIVXQwwjfFmPScuEVjDfDBzhK+tOdMpSeDmHMAlOeGh5S3X29XLyBdBWfsUJ417bfLJqr4xHE8go64HuOaE/dWgAlYXDweujWDPH8waRWAq8DYWBEJfnT81QK6c3CbNQp0yMvtZGrQGkDk1xr+f7vRG5a9Chl14mfFSqGnwpxe8g40niAM/MWL10hJff8p7Ie0o5oSG2x5VzoMWZQ/HHmBaRzQHES2ddAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEAOegGLgw81dvQa4LfvEybdeiTwKke9SnXfalpsWoGOsFx8arsLvhihDL0Ai3ZKeVjJTNlq9+1klq2AfAC7s9xC5oIK3YyFVvzSIAhwxiBvAtBe8KwwVfZnNB0HKroXIkn0JrGlyb1fheePSKIZCs1THwFigYSp3MTo0j3wNSFKgusJ+7RH0sLYO/5AwJ4JrqO4xPLz7rSfDbMgep7Qg+Ylv2YIXGecH2Hft/0LLchxbbCJd2OnKNvEW+wyotVwG4v8XPaSBT2aiKuFcD5gMY3clbeTv7tIwuH1K27R0cSiJZKAznMCuB2MhMi+CWRlvCYfS8nyqwziOnYRG3SZa7MLg== scep_tx=23408524965258346450630507198266950287255212778687783181270846979351580813985 minicert=MIIDDjCCAfagAwIBAAIgM8DBb8vrkCLtVakYwBoCDvE3QB7kwQiBV5zAfRCoqqEwDQYJKoZIhvcNAQELBQAwOTE3MDUGA1UEAxMuZnMtaGlpZG8taXBhLWNhLTY0LTI1Mi5oaWlkby5ob3N0Lnl5ZGV2b3BzLmNvbTAiGA8yMDIyMDYwNzAwMDAwMFoYDzIxMjIwNjA3MDAwMDAwWjA5MTcwNQYDVQQDEy5mcy1oaWlkby1pcGEtY2EtNjQtMjUyLmhpaWRvLmhvc3QueXlkZXZvcHMuY29tMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAq65hMs4nUJiuc4Mw9FCG9x9yW4DEMDTtuozz2aXRdRX0sHskCcDUW3SIWHDOSL0WnV7h0GJiyFKR1pJQW9eJX9CXVPXRht0FCdz2IGSYQvN6/9Rf0SSuQJiFV0MMI3xZj0nLhFYw3wwc4SvrTnTKUng5hzAJTnhoeUt19vVy8gXQVn7FCeNe23yyaq+MRxPIKOuB7jmhP3VoAJWFw8Hro1gzx/MGkVgKvA2FgRCX50/NUCunNwmzUKdMjL7WRq0BpA5Nca/n+70RuWvQoZdeJnxUqhp8KcXvIONJ4gDPzFi9dISX3/KeyHtKOaEhtseVc6DFmUPxx5gWkc0BxEtnXQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQCcQSS8v0lkknnYfvPhfBZjyzb9RiszlRVxIj1aZQxum2O3EXI49yhBytL5cz39NjdDMmcn0DS1OlU+y4270Wfb3KiNDvuDfoY7hvahOLQNU+hKAVx13PU7uGQU+3SjOR+FtR2e9gX7QQ3aRjoH+dmm3ys4sS9CN7gnnzw9uVC59+g0snz9iFMV+gFVl/16PSX4F+zJqxna84RIIbBTqfQ00pkB230LmbWKuLxh8CCJHWi9x61a4ZWU25hHMZgP6YoWv3rrrzdZvDscb9Qffp7QPV+II tzeyGhVKRwZ1tlwMyzrTHAMYixDNS5Ejhr5P/NjSnpDAul/Kw01NKoIe4OI state=CA_UNREACHABLE autorenew=1 monitor=1 ca_name=IPA submitted=20220607091038 ca_error=Server at https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com/ipa/xml failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:443/ca/eeca/ca/...': (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
Tested several servers are the same, should be ca expired problem What do I need to do to replicate this situation?
You need to get your CA working again. Standing up a replica requires certificates and if your CA isn't up there is nothing to issue them.
rob
I copied the work on the master node of the valid CA, now the problem should be how to modify the child certificate outside the CA, CA certificate will not expire after 20 years by default, other certificates will expire after 2 years by default, if not renewed.I feel like I have all the access to this server. Why is it so hard to change the expiration date?Shouldn't let me set the system time, this is a high risk solution, huh?Or did I not find the correct modification document? CA There is no problem, the local operation of IPA-related commands is normal root@fs-hiido-kerberos-21-117-149:/home/liangrui# getcert list | grep -E 'key pair storage|status|expires|principal' status: CA_UNREACHABLE key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set expires: 2021-08-30 11:23:07 UTC status: CA_UNREACHABLE key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set expires: 2021-08-30 11:23:06 UTC status: CA_UNREACHABLE key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set expires: 2021-08-30 11:23:07 UTC status: CA_UNREACHABLE key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set expires: 2039-09-10 11:23:06 UTC status: CA_UNREACHABLE key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' expires: 2021-08-30 11:23:25 UTC status: CA_UNREACHABLE key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set expires: 2021-08-30 11:23:06 UTC status: MONITORING key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' expires: 2023-08-14 11:24:24 UTC principal name: ldap/fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com@YYDEVOPS.COM status: MONITORING key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' expires: 2023-08-14 11:26:13 UTC principal name: HTTP/fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com@YYDEVOPS.COM
https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fix.h... What does ipa-cert-fix do? In brief, the steps performed by ipa-cert-fix are:
Inspect deployment to work out which certificates need renewing. This includes both Dogtag system certificates, FreeIPA-specific certificates (HTTP, LDAP, KDC and IPA RA). Print intentions and await operator confirmation. Invoke pki-server cert-fix to renew expired certificates, including FreeIPA-specific certificates. Install renewed FreeIPA-specific certificates to their respective locations. If any shared certificates were renewed (Dogtag system certificates excluding HTTP, and IPA RA), import them to the LDAP ca_renewal subtree and set the caRenewalMaster configuration to be the current server. This allows CA replicas to pick up the renewed shared certificates. Restart FreeIPA (ipactl restart).
This feature was released after version 4.6, so it can be handled manually in earlier versions, right?But what exactly is going on in this one, does anybody know?
rui liang via FreeIPA-users wrote:
https://frasertweedale.github.io/blog-redhat/posts/2019-05-24-ipa-cert-fix.h... What does ipa-cert-fix do? In brief, the steps performed by ipa-cert-fix are:
Inspect deployment to work out which certificates need renewing. This includes both Dogtag system certificates, FreeIPA-specific certificates (HTTP, LDAP, KDC and IPA RA). Print intentions and await operator confirmation. Invoke pki-server cert-fix to renew expired certificates, including FreeIPA-specific certificates. Install renewed FreeIPA-specific certificates to their respective locations. If any shared certificates were renewed (Dogtag system certificates excluding HTTP, and IPA RA), import them to the LDAP ca_renewal subtree and set the caRenewalMaster configuration to be the current server. This allows CA replicas to pick up the renewed shared certificates. Restart FreeIPA (ipactl restart).
This feature was released after version 4.6, so it can be handled manually in earlier versions, right?But what exactly is going on in this one, does anybody know?
ipa-cert-fix is a wrapper around pki-server cert-fix. This allows for offline certificate renewal and was created to aid in situations exactly like this. It does not exist for prior versions of IPA and I'm not aware of a manual way to do the same thing other than the previous suggestions.
rob
freeipa-users@lists.fedorahosted.org