Hi Jochen and thanks for your reply.
My knowledge in CA is not much so I will try to follow as much as I can.
The only error I don’t know if is ok to be there is the kra error
mentioned in the logs.
What I did was comparing the files in the request directory before and
after the upgrade with the 4 certs in stuck state and the files were the
same.
I then removed the files in the directory and run the upgrade again
which created new files and the new 4 certs again in stuck state.
At last, I fixed the certs and run again the upgrade.
Here are the fixed certs, dir content, etc for the last try:
A couple of comments.
I don't recommend directly removing the certmonger tracking files unless
you do it with certmonger stopped. It retains a copy in memory while
running.
certmonger tracking has nothing to do with the CA state. A bad tracking
request can prevent renewal but it won't affect operations of the CA
unless the failure to renew allows the certificates to expire which is
not true in this case.
You should shift focus to the CA debug log to see where the first
failure(s) occur during startup. That is most likely to tell you what is
going on.
rob
getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY
<mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221202140756':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=CA Audit,O=TNU.COM.UY
issued: 2021-11-09 15:11:14 -03
expires: 2023-10-30 15:11:14 -03
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140757':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=OCSP Subsystem,O=TNU.COM.UY
issued: 2021-11-09 15:12:03 -03
expires: 2023-10-30 15:12:03 -03
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140758':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=CA Subsystem,O=TNU.COM.UY
issued: 2021-11-09 15:11:13 -03
expires: 2023-10-30 15:11:13 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140759':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate
DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=Certificate Authority,O=TNU.COM.UY
issued: 2022-08-26 14:25:16 -03
expires: 2042-08-26 14:25:16 -03
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140800':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202140801':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221202140802':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221202140803':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY
<mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# ll /var/lib/certmonger/requests
total 64
-rw------- 1 root root 4598 Dec 2 11:27 20221202140756
-rw------- 1 root root 4785 Dec 2 11:27 20221202140757
-rw------- 1 root root 4798 Dec 2 11:27 20221202140758
-rw------- 1 root root 4851 Dec 2 11:27 20221202140759
-rw------- 1 root root 4983 Dec 2 11:08 20221202140800
-rw------- 1 root root 4610 Dec 2 11:08 20221202140801
-rw------- 1 root root 5373 Dec 2 11:08 20221202140802
-rw------- 1 root root 5272 Dec 2 11:08 20221202140803
# cat req_temp/requests/20221202140756
id=20221202140756
key_type=RSA
key_gen_type=RSA
key_size=2048
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=NSSDB
key_storage_location=/etc/pki/pki-tomcat/alias
key_token=NSS Certificate DB
key_nickname=auditSigningCert cert-pki-ca
key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt
key_perms=0
key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001
key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001
key_requested_count=0
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/pki/pki-tomcat/alias
cert_token=NSS Certificate DB
cert_nickname=auditSigningCert cert-pki-ca
cert_perms=0
cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479
cert_issuer=CN=Certificate Authority,O=TNU.COM.UY
cert_serial=14
cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974
cert_subject=CN=CA Audit,O=TNU.COM.UY
cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001
cert_not_before=20211109181114
cert_not_after=20231030181114
cert_ku=11
cert_is_ca=0
cert_ca_path_length=-1
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974
template_subject=CN=CA Audit,O=TNU.COM.UY
template_ku=11
template_is_ca=0
template_ca_path_length=-1
template_profile=caSignedLogCert
template_no_ocsp_check=0
state=MONITORING
autorenew=1
monitor=1
ca_name=IPA
submitted=19700101000000
cert=-----BEGIN CERTIFICATE-----
MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD
# ipa-server-upgrade
Upgrading IPA:. Estimated time: 1 minute 30 seconds
[1/11]: stopping directory server
[2/11]: saving configuration
[3/11]: disabling listeners
[4/11]: enabling DS global lock
[5/11]: disabling Schema Compat
[6/11]: starting directory server
[7/11]: updating schema
[8/11]: upgrading server
Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling
to perform: Entry and attributes are managed by topology plugin.No
direct modifications allowed.
Error caught updating nsDS5ReplicatedAttributeListTotal: Server is
unwilling to perform: Entry and attributes are managed by topology
plugin.No direct modifications allowed.
[9/11]: stopping directory server
[10/11]: restoring configuration
[11/11]: starting directory server
Done.
Update complete
Upgrading IPA services
Upgrading the configuration of the IPA services
Disabled p11-kit-proxy
[Verifying that root certificate is published]
[Migrate CRL publish directory]
CRL tree already moved
[Verifying that KDC configuration is using ipa-kdb backend]
[Fix DS schema file syntax]
Syntax already fixed
[Removing RA cert from DS NSS database]
RA cert already removed
[Enable sidgen and extdom plugins by default]
[Updating HTTPD service IPA configuration]
[Updating HTTPD service IPA WSGI configuration]
Nothing to do for configure_httpd_wsgi_conf
[Migrating from mod_nss to mod_ssl]
Already migrated to mod_ssl
[Moving HTTPD service keytab to gssproxy]
[Removing self-signed CA]
[Removing Dogtag 9 CA]
[Checking for deprecated KDC configuration files]
[Checking for deprecated backups of Samba configuration files]
dnssec-validation yes
[Add missing CA DNS records]
IPA CA DNS records already processed
named user config '/etc/named/ipa-ext.conf' already exists
named user config '/etc/named/ipa-options-ext.conf' already exists
named user config '/etc/named/ipa-logging-ext.conf' already exists
[Upgrading CA schema]
CA schema update complete
[Update certmonger certificate renewal configuration]
Missing or incorrect tracking request for certificates:
/etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
/etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
Certmonger certificate renewal configuration updated
[Enable PKIX certificate path discovery and validation]
PKIX already enabled
[Authorizing RA Agent to modify profiles]
[Authorizing RA Agent to manage lightweight CAs]
[Ensuring Lightweight CAs container exists in Dogtag database]
[Adding default OCSP URI configuration]
[Disabling cert publishing]
pki-tomcat configuration changed, restart pki-tomcat
[Ensuring CA is using LDAPProfileSubsystem]
[Migrating certificate profiles to LDAP]
Migrating profile 'acmeServerCert'
IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
command ipa-server-upgrade manually.
Unexpected error - see /var/log/ipaupgrade.log for details:
NetworkError: cannot connect to
'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
more information
# getcert list
Number of certificates and requests being tracked: 9.
Request ID '20200110015908':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:59:28 -03
expires: 2023-12-13 22:59:28 -03
principal name: krbtgt/TNU.COM.UY(a)TNU.COM.UY
<mailto:krbtgt/TNU.COM.UY@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
Request ID '20221202175657':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175658':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175659':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175700':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca'
CA: dogtag-ipa-ca-renew-agent
issuer:
subject:
issued: unknown
expires: unknown
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175701':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-01 22:56:02 -03
expires: 2023-11-21 22:56:02 -03
dns: dc2.tnu.com.uy
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20221202175702':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=IPA RA,O=TNU.COM.UY
issued: 2021-11-09 15:12:27 -03
expires: 2023-10-30 15:12:27 -03
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20221202175703':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:10 -03
expires: 2023-12-13 22:53:10 -03
dns: dc2.tnu.com.uy
principal name: ldap/dc2.tnu.com.uy(a)TNU.COM.UY
<mailto:ldap/dc2.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY
track: yes
auto-renew: yes
Request ID '20221202175704':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=TNU.COM.UY
subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY
issued: 2021-12-12 22:53:26 -03
expires: 2023-12-13 22:53:26 -03
dns: dc2.tnu.com.uy
principal name: HTTP/dc2.tnu.com.uy(a)TNU.COM.UY
<mailto:HTTP/dc2.tnu.com.uy@TNU.COM.UY>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
# ll /var/lib/certmonger/requests
total 48
-rw------- 1 root root 1029 Dec 2 14:56 20221202175658
-rw------- 1 root root 1021 Dec 2 14:57 20221202175658-1
-rw------- 1 root root 1020 Dec 2 14:57 20221202175659
-rw------- 1 root root 1013 Dec 2 14:57 20221202175700
-rw------- 1 root root 4983 Dec 2 14:57 20221202175701
-rw------- 1 root root 4610 Dec 2 14:57 20221202175702
-rw------- 1 root root 5373 Dec 2 14:57 20221202175703
-rw------- 1 root root 5272 Dec 2 14:57 20221202175704
cat /var/lib/certmonger/requests/20221202175658
id=20221202175657
key_type=UNSPECIFIED
key_gen_type=RSA
key_size=0
key_gen_size=2048
key_next_type=UNSPECIFIED
key_next_gen_type=RSA
key_next_size=0
key_next_gen_size=2048
key_preserve=0
key_storage_type=NSSDB
key_storage_location=/etc/pki/pki-tomcat/alias
key_nickname=auditSigningCert cert-pki-ca
key_perms=0
key_requested_count=0
key_issued_count=0
cert_storage_type=NSSDB
cert_storage_location=/etc/pki/pki-tomcat/alias
cert_nickname=auditSigningCert cert-pki-ca
cert_perms=0
cert_is_ca=0
cert_ca_path_length=0
cert_no_ocsp_check=0
last_need_notify_check=19700101000000
last_need_enroll_check=19700101000000
template_is_ca=0
template_ca_path_length=0
template_profile=caSignedLogCert
template_no_ocsp_check=0
state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN
autorenew=1
monitor=1
ca_name=dogtag-ipa-ca-renew-agent
submitted=19700101000000
pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad
pre_certsave_uid=0
post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
post_certsave_uid=0
UPGRADELOG:
2022-11-30T16:03:16Z DEBUG stderr=
2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete
2022-11-30T16:03:16Z DEBUG Starting external process
2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show',
'kra']
2022-11-30T16:03:17Z DEBUG Process finished, return code=1
2022-11-30T16:03:17Z DEBUG stdout=
2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in
instance pki-tomcat.
2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal
configuration]
2022-11-30T16:03:17Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2022-11-30T16:03:17Z DEBUG Starting external process
2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d',
'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n',
'Server-Cert', '-a',
'-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt']
2022-11-30T16:03:17Z DEBUG Process finished, return code=0
2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE-----
Xxxx
-----END CERTIFICATE-----
2022-11-30T16:03:17Z DEBUG stderr=
2022-11-30T16:03:17Z DEBUG Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
2022-11-30T16:03:17Z DEBUG Starting external process
2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d',
'sql:/etc/pki/pki-tomcat/alias', '-L', '-f',
'/etc/pki/pki-tomcat/alias/pwdfile.txt']
2022-11-30T16:03:17Z DEBUG Process finished, return code=0
2022-11-30T16:03:17Z DEBUG stdout=
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
subsystemCert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
TNU.COM.UY IPA CA CTu,Cu,Cu
TNU.COM.UY IPA CA CTu,Cu,Cu
2022-11-30T16:03:17Z DEBUG stderr=
2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for
certificates:
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:auditSigningCert
cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:ocspSigningCert
cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:subsystemCert
cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:caSigningCert
cert-pki-ca
2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:Server-Cert
cert-pki-ca
2022-11-30T16:03:19Z INFO /var/lib/ipa/ra-agent.pem
2022-11-30T16:03:19Z INFO /var/lib/ipa/certs/httpd.crt
2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking
system certificates for CA
2022-11-30T16:03:19Z DEBUG Starting external process
2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active',
'dbus.service']
2022-11-30T16:03:19Z DEBUG Process finished, return code=0
2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr=
2022-11-30T16:03:19Z DEBUG Starting external process
2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start',
'certmonger.service']
2022-11-30T16:03:19Z DEBUG Process finished, return code=0
2022-11-30T16:03:19Z DEBUG stdout=
2022-11-30T16:03:19Z DEBUG stderr=
2022-11-30T16:03:19Z DEBUG Starting external process
2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active',
'certmonger.service']
2022-11-30T16:03:19Z DEBUG Process finished, return code=0
2022-11-30T16:03:19Z DEBUG stdout=active
2022-11-30T16:03:19Z DEBUG stderr=
2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete
2022-11-30T16:03:20Z DEBUG Starting external process
2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show',
'kra']
2022-11-30T16:03:20Z DEBUG Process finished, return code=1
2022-11-30T16:03:20Z DEBUG stdout=
2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in
instance pki-tomcat.
> El 1 dic. 2022, a las 20:14, Jochen Kellner <jochen(a)jochen.org
> <mailto:jochen@jochen.org>> escribió:
>
> Juan Pablo Lorier via FreeIPA-users
> <freeipa-users(a)lists.fedorahosted.org
> <mailto:freeipa-users@lists.fedorahosted.org>> writes:
>
>> Hi Rob,
>>
>> All dates are good once I add the pin manually. The only problem is
>> the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run
>> the updater. I don’t know what is not right with the certs. Maybe you
>> can point me in a direction to look at the logs. Let me share the
>> getcert list once I manually fixed the pin:
>
> Can you perhaps compare the requests for one certificate before and
> after the upgrade? The requests are stored in
> /var/lib/certmonger/requests. Let's focus on one certificate first,
> for example:
> key pair storage:
>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> cert-pki-ca'
>
> I'd try something like that:
> - save /var/lib/certmonger/requests somewhere
> - try the upgrade once again
> - save /var/lib/certmonger/requests again, somwhere else
> - compare and see what the differences really are
>
> Depending on the differences - and needs some creative thinking:
> - reset the system to the state before the upgrade
> - stop certmonger
> - replace /var/lib/certmonger/requests with the second copy (from after
> the upgrade)
> - We need to get certmonger and ipa-server-upgrade be happy with these
> requests, so the request don't get changed during the next upgrade.
>
> I've had a look at the logs of the last ipaupgrade.log. For each
> certificcate I see:
> 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal
> configuration]
> ...
> 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration
> already up-to-date
>
> I guess the second line for you says something like "...config
> updated". We need to see, if the lines between have some clues for us.
>
> In a post upthread you posted the console output:
> Missing or incorrect tracking request for certificates:
> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
> Certmonger certificate renewal configuration updated
>
> Also upthread you posted:
>>>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is
already in
>>>>>> LDAP and
>>>>>> enabled; skipping
>>>>>> 2022-11-30T16:07:49Z INFO Migrating profile
'acmeServerCert'
>>>>>> 2022-11-30T16:07:49Z DEBUG request GET
>>>>>>
https://dc2.tnu.com.uy:8443/ca/rest/account/login
>>>>>> 2022-11-30T16:07:49Z DEBUG request body ''
>>>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed:
>>>>>> Traceback (most recent call last):
>>>>>> File
"/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line
>
> In my upgrade log this is after updating/checing the certmonger
> requests. So my guess is there's something strange with your
> configuration in /var/lib/certmonger/requests.
>
> So, can you provide more of your ipaupgrade.log where the certmonger
> requests are checked/updated and one request before/after?
>
> Jochen
>
> --
> This space is intentionally left blank.