Hi,

the CSR that you used is the one for the RA cert, not for "Server-Cert cert-pki-ca" (openssl req -noout -text shows Subject: O = RHELENT.LAN, CN = IPA RA).

It seems that 2 different repair procedures were mixed: go back in time and use ipa-cert-fix. With ipa-cert-fix you don't need to change the current time. In order to fix the issue, we need to have the full picture:
- what is the full output of getcert list (please include the "current" date on the system for us to know which certs are considered still valid)
- which node is the renewal master (ipa config-show | grep "IPA CA renewal master")

The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert list) is 20210601131824, meaning that the corresponding request file can be found with
# grep -l "id=20210601131824" /var/lib/certmonger/requests/*

If the request file doesn't already contain a CSR, it can be added using getcert resubmit -i <ID>.
flo

On Tue, Sep 14, 2021 at 10:12 PM Marc Boorshtein via FreeIPA-users <freeipa-users@lists.fedorahosted.org> wrote:


Looks like you're running into
https://bugzilla.redhat.com/show_bug.cgi?id=1780782

The fix wasn't backported to the ipa-4.6 branch.

Try retrieving the CSR from certmonger as suggested in the BZ.



I tried that, bot no change:

# grep -A 19 csr  /var/lib/certmonger/requests/20210601131824
csr=-----BEGIN NEW CERTIFICATE REQUEST-----
 MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQ
 QSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3yd
 DSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvN
 YfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i
 6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0N
 RgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWI
 pb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eo
 Dh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAx
 ADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNV
 HSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNV
 HQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEB
 AH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh
 0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULC
 BG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yM
 zHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EE
 Tl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv
 0DU4gR7eTcjzO7TcKELQnBs=
 -----END NEW CERTIFICATE REQUEST-----
spkac=MIICQDCCASgwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCcIVkHdf/e6Ad8nQ0kKjs92ZQTNA8oAVn5VoG5zFbKn/xx6cPpA2XquZkSetv+tv3p3tufxOkLmDjrzWH8HCXWqhkUYVy5VEWLCoHl8pivGOfPv/e/sj+GEXtf0BMNDKIDMGP/qL9gTiMvoujprGYbiL+mYDxF6jKl4JvVT9PNrrsB9Hi7utPh+LLVa/QbBbwusDm9zepyCKXdDUYIzExVDy8gVqsNUe6vncmjXBg1Ih8nGCzt6v/BfWEMjhlQv2NabIFx990b7hJFiKW/Bh45qkj6TFgafBIWbF3OoOI7w+LA+8JQpSyib8//l6t41cZBPpDzDteC0VPnqA4e3OtzAgMBAAEWADANBgkqhkiG9w0BAQsFAAOCAQEANLPk6UZoMcMh1HC+0aUOPqpxfNbenr4Vy32ieKuUZYdESXlKdutuIZStCAGobduEEABpQg9hj54R3l8ruFTGdNy+Yd4vXglDFfYUtHid0VV0PTy9DF7pa2brWR6OMysR9EquR4eAWvTIwF6oFFz+b/5FBY6mQa67DPiK7gVd4a39JolPGpMmvxXrCgIF3008jtlhsZwkNosFkHYwMryqLoNwi2I9mPqOv/ZeGq6ymHMi+P7IZnsKqt16sZQJXLpAbnKpc9RiJSxYrDGUB6O0wbqkyjaTrFMLHbM+xSJxN66OoUAkd80mYvS2xEYeqm5IqtoG2uTjo3z5RbKiaOHfrw==

Then, added

ca.cert.sslserver.certreq=MIIDDTCCAfUCAQAwJzEUMBIGA1UECgwLUkhFTEVOVC5MQU4xDzANBgNVBAMMBklQQSBSQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwhWQd1/97oB3ydDSQqOz3ZlBM0DygBWflWgbnMVsqf/HHpw+kDZeq5mRJ62/62/ene25/E6QuYOOvNYfwcJdaqGRRhXLlURYsKgeXymK8Y58+/97+yP4YRe1/QEw0MogMwY/+ov2BOIy+i6OmsZhuIv6ZgPEXqMqXgm9VP082uuwH0eLu60+H4stVr9BsFvC6wOb3N6nIIpd0NRgjMTFUPLyBWqw1R7q+dyaNcGDUiHycYLO3q/8F9YQyOGVC/Y1psgXH33RvuEkWIpb8GHjmqSPpMWBp8EhZsXc6g4jvD4sD7wlClLKJvz/+Xq3jVxkE+kPMO14LRU+eoDh7c63MCAwEAAaCBoDArBgkqhkiG9w0BCRQxHh4cADIAMAAyADEAMAA2ADAAMQAxADMAMQA4ADIAMzBxBgkqhkiG9w0BCQ4xZDBiMA4GA1UdDwEBAAQEAwIE8DAgBgNVHSUBAQAEFjAUBggrBgEFBQcDAQYIKwYBBQUHAwIwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQU+KhKXfD/PdXMbPumFzZncl96xmswDQYJKoZIhvcNAQELBQADggEBAH0LQGM63xHZP0GQsV28kcqIVr5qcnJugRwXPpJ90Hbp+MGjHrhS4vAWRRULRnAh0t5XziT95j3UuixFCt8pe5yoy/YPiczR7Hkk/s+JVV8iNuqO6vvFe32yIKTpaULCBG6S38F7WVoj4+Gv9rq2nY9U02NFzGlujip7gtrnTMaGQ7KOu+J/vksICOwe9/yMzHjw5t+p1Ltbk4691fcmV9iZp0FR5bSAUweFJnO+er3ovPqtDtGf+LfTaaAWB3EETl1aoswI4YtpFWtuN3A9RU0z42Q1VDau6ITj05zLJRE3MhZsZY5OjuRTMlpoSqxv0DU4gR7eTcjzO7TcKELQnBs=

to /etc/pki/pki-tomcat/ca/CS.cfg, then run:

# ipa-cert-fix

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed:

Dogtag sslserver certificate:
  Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN
  Serial:  23
  Expires: 2021-06-08 16:53:15

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=RHELENT.LAN
  Serial:  21
  Expires: 2021-06-08 16:52:45

Enter "yes" to proceed: yes
Proceeding.
Command 'pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21' returned non-zero exit status 1
The ipa-cert-fix command failed.
[root@freeipa ca]# pki-server cert-fix --ldapi-socket /var/run/slapd-RHELENT-LAN.socket --agent-uid ipara --cert sslserver --extra-cert 21
INFO: Loading password config: /etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['sslserver']
INFO: Renewing the following additional certs: ['21']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Creating a temporary sslserver cert
INFO: Getting sslserver cert info for ca
INFO: Trying to create a new temp cert for sslserver.
INFO: Generate temp SSL certificate
INFO: Getting sslserver cert info for ca
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ERROR: Unable to find CSR for sslserver cert

thanks
Marc



 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure