Hi Rob,
I do manually add the pin and they get in MONITORING state, but the IPA server is not
consistent because the upgrade never completes.
If I try to run the upgrade, the process renews the certs and they go back to stuck state.
Look at the upgrade output I sent and then you can see that those certs get into stuck
because of the missing pin:
> [Update certmonger certificate renewal configuration]
> Missing or incorrect tracking request for certificates:
> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
> Certmonger certificate renewal configuration updated
> El 1 dic. 2022, a las 13:52, Rob Crittenden <rcritten(a)redhat.com> escribió:
>
> Juan Pablo Lorier wrote:
>> Ok, I fixed the certs following other ticket but using the pin file
>> pointed in the link you sent me.
>> Result:
>>
>> ipa-getcert start-tracking -i 20221201163932 -p
>> /etc/pki/pki-tomcat/alias/pwdfile.txt
>
> I don't know what request 20221201163932 is but you need to add the pin
> file to all of the CA-related trackers.
>
> rob
>
>>
>> But it seems that the spa-server-upgrade brakes them again:
>>
>> named user config '/etc/named/ipa-ext.conf' already exists
>> named user config '/etc/named/ipa-options-ext.conf' already exists
>> named user config '/etc/named/ipa-logging-ext.conf' already exists
>> [Upgrading CA schema]
>> CA schema update complete
> [Update certmonger certificate renewal configuration]
> Missing or incorrect tracking request for certificates:
> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
> Certmonger certificate renewal configuration updated
>> [Enable PKIX
certificate path discovery and validation]
>> PKIX already enabled
>> [Authorizing RA Agent to modify profiles]
>> [Authorizing RA Agent to manage lightweight CAs]
>> [Ensuring Lightweight CAs container exists in Dogtag database]
>> [Adding default OCSP URI configuration]
>> [Disabling cert publishing]
>> pki-tomcat configuration changed, restart pki-tomcat
>> [Ensuring CA is using LDAPProfileSubsystem]
>> [Migrating certificate profiles to LDAP]
>> Migrating profile 'acmeServerCert'
>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run
>> command ipa-server-upgrade manually.
>> Unexpected error - see /var/log/ipaupgrade.log for details:
>> NetworkError: cannot connect to
>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error
>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for
>> more information
>>
>>
>>
>>
>>
>> Request ID '20221201164512':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>> stuck: yes
>> key pair storage:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca'
>> certificate:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
>> cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> issued: unknown
>> expires: unknown
>> profile: caSignedLogCert
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20221201164513':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>> stuck: yes
>> key pair storage:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
>> certificate:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> issued: unknown
>> expires: unknown
>> profile: caOCSPCert
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20221201164514':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>> stuck: yes
>> key pair storage:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca'
>> certificate:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
>> cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> issued: unknown
>> expires: unknown
>> profile: caSubsystemCert
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20221201164515':
>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>> stuck: yes
>> key pair storage:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca'
>> certificate:
>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
>> cert-pki-ca'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer:
>> subject:
>> issued: unknown
>> expires: unknown
>> profile: caCACert
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
>> "caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>>
>>> El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <jplorier(a)gmail.com
>>> <mailto:jplorier@gmail.com <mailto:jplorier@gmail.com>>>
escribió:
>>>
>>> Thanks Jochen,
>>>
>>> I tried following the post but the getcert command is complaining
>>> about the syntax and I can’t find why. According to man page, the
>>> parameters are right.
>>>
>>> I also tried to remove the certs and run spa-server-upgrade but it
>>> generates new certs and fails at the same point (new certs are also
>>> pending pin information)
>>> It looks like I will need a way to unstuck those certs for the upgrade
>>> to continue.
>>> All suggestions are Wellcome :-)
>>> Regards
>>>
>>>> El 1 dic. 2022, a las 01:30, Jochen Kellner <jochen(a)jochen.org
<mailto:jochen@jochen.org>
>>>> <mailto:jochen@jochen.org <mailto:jochen@jochen.org>>>
escribió:
>>>>
>>>>
>>>> Hello Juan,
>>>>
>>>> Juan Pablo Lorier via FreeIPA-users
>>>> <freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
>>>> <mailto:freeipa-users@lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>>> writes:
>>>>
>>>>> You are right, there are several certificates stuck in dc2:
>>>>>
>>>>> getcert list
>>>> ...
>>>>> Request ID '20221130160320':
>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
>>>>
>>>> My google-fu point to that comment in an issue:
>>>>
https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-65...
>>>> That has the commands to fix the issue.
>>>>
>>>> Another possibility should be to stop-tracking the certificates and run
>>>> ipa-server-upgrade which should restore the trackings. Right?
>>>>
>>>> Jochen
>>>>
>>>> --
>>>> This space is intentionally left blank.