I noticed that a certificate request on a CentOS 8 server (running ipa- server 4.8.0-13.module_el8.1.0+265+e1e65be4) got stuck:
Request ID '20200123083218': status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM subject: CN=ipa2.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2021-12-19 18:32:27 UTC dns: ipa2.ipa.example.com principal name: HTTP/ipa2.ipa.example.com@IPA.EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
I was able to fix this with the following command:
# ipa-getcert start-tracking -i 20200123083218 -p /var/lib/ipa/passwds/ipa2.ipa.example.com-443-RSA
Hopefully someone else will find that useful.
(Thanks to Rob for his advice in [0]; the command I used modified the existing request without having to delete and re-create it from scratch.)
[0] https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
freeipa-users@lists.fedorahosted.org