Ok, thanks for the clarification. I will create brand new CA Master
and retire older version.
On Fri, Sep 27, 2019 at 12:02 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>
> Satish Patel via FreeIPA-users wrote:
> > Can i upgrade my existing 4.4.x ldap-ca-master with
> > "ipa-server-upgrade" command?
>
> No, update the distribution/packages so it is the same level as the
> other master(s).
>
> The IPA team recommends to run all the IPA masters at the same level.
> There are sometimes subtle differences between different versions and
> while they can interoperate ok it isn't recommended to keep this type of
> configuration for too long.
>
> > Currently i have following CA master version:
> >
> > ldap-ca-master - 4.4.x (renewal master)
> > ldap-ca-replica - 4.6.x
> >
> > Or
> >
> > I can do one thing create fresh machine and make it one more CA
> > replica and destroy older ldap-ca-master - 4.4.x
>
> That is certainly one way of achieving it.
>
> rob
>
> >
> >
> >
> >
> > On Fri, Sep 27, 2019 at 11:23 AM Rob Crittenden <rcritten(a)redhat.com>
wrote:
> >>
> >> Satish Patel wrote:
> >>> Rob,
> >>>
> >>> Last question, when certmonger renew all certificates automatically, i
> >>> meant before 24 hours ago? Just want to make sure it does otherwise i
> >>> will be in trouble again :)
> >>
> >> It should. I'd work on upgrading all the masters to run the same
version
> >> of IPA once you're sure things are working and you have a working
second
> >> CA master.
> >>
> >> The renewal happens by default 28 days before expiration.
> >>
> >> Also be sure that one of the masters is defined as the CA renewal master
> >> in ipa config-show.
> >>
> >> rob
> >>
> >>>
> >>> Done, i did that change and restart httpd. I believe now my all issue
> >>> has been fixed. Thank you so much for your support
> >>>
> >>> [root@ldap-ca-master conf.d]# grep "NSSNickname"
/etc/httpd/conf.d/nss.conf
> >>> NSSNickname Server-Cert
> >>>
> >>> On Fri, Sep 27, 2019 at 8:41 AM Rob Crittenden
<rcritten(a)redhat.com> wrote:
> >>>>
> >>>> Satish Patel wrote:
> >>>>> Rob,
> >>>>>
> >>>>> As you suggested i did following ( it required password so i
used -P <PIN> )
> >>>>>
> >>>>> # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K
> >>>>> HTTP/ldap-ca-master.example.com -C
> >>>>> /usr/libexec/ipa/certmonger/restart_httpd -D
> >>>>>
ldap-ca-master.example.com -P 9e8c1a9447d56236733f
> >>>>>
> >>>>> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n
Server-Cert
> >>>>> -K
ldap/ldap-ca-master.example.com -C
> >>>>> "/usr/libexec/ipa/certmonger/restart_dirsrv
EXAMPLE.COM" -D
> >>>>>
ldap-ca-master.example.com -P
013fcd26f4dfa18c4d1bcaac0dbac44f3ad75698
> >>>>>
> >>>>>
> >>>>> # certutil -V -u V -d /etc/httpd/alias -n Server-Cert
> >>>>> certutil: certificate is valid
> >>>>> # certutil -V -u V -d /etc/dirsrv/slapd-EXAMPLE-COM -n
Server-Cert
> >>>>> certutil: certificate is valid
> >>>>>
> >>>>>>>>> If so then you can swap the config to use them.
Edit
> >>>>> /etc/httpd/conf.d/nss.conf and replace the NSSNickname value
with
> >>>>> Server-Cert and restart httpd
> >>>>>
> >>>>> Do i need to edit above nss.conf file?
> >>>>>
> >>>>> Currently i have following NSSNickname in file.
> >>>>>
> >>>>> # grep "NSSNickname" /etc/httpd/conf.d/nss.conf
> >>>>> NSSNickname "CN=*.foo.example.com,OU=Domain Control
Validated"
> >>>>
> >>>> Yes.
> >>>>
> >>>>>
> >>>>>
> >>>>>
> >>>>> Here is the full output of getcet list (Do you think it's
looking
> >>>>> good? i compare with Replica and i can see Master has 2 less
cert
> >>>>> compare to Replica hope that is ok)
> >>>>
> >>>> Due to difference in versions of IPA. This looks ok for a version
4.4.x
> >>>> master.
> >>>>
> >>>> rob
> >>>>
> >>>>>
> >>>>> # getcert list
> >>>>> Number of certificates and requests being tracked: 8.
> >>>>> Request ID '20190926141756':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject: CN=CA
Audit,O=EXAMPLE.COM
> >>>>> expires: 2020-11-17 18:32:07 UTC
> >>>>> key usage: digitalSignature,nonRepudiation
> >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>> "auditSigningCert cert-pki-ca"
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190926141757':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject: CN=OCSP
Subsystem,O=EXAMPLE.COM
> >>>>> expires: 2020-11-17 18:31:26 UTC
> >>>>> eku: id-kp-OCSPSigning
> >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>> "ocspSigningCert cert-pki-ca"
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190926141758':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject: CN=CA
Subsystem,O=EXAMPLE.COM
> >>>>> expires: 2020-11-17 18:31:16 UTC
> >>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>> "subsystemCert cert-pki-ca"
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190926141759':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> expires: 2037-01-05 14:47:24 UTC
> >>>>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>> "caSigningCert cert-pki-ca"
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190926141800':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>> Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>> Certificate DB'
> >>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject: CN=IPA
RA,O=EXAMPLE.COM
> >>>>> expires: 2020-11-17 18:31:36 UTC
> >>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190926141801':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>> cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>> CA: dogtag-ipa-renew-agent
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject:
CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>> expires: 2020-11-17 18:30:29 UTC
> >>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> >>>>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>> "Server-Cert cert-pki-ca"
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190927010638':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >>>>> Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >>>>> Certificate DB'
> >>>>> CA: IPA
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject:
CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM
> >>>>> expires: 2021-09-27 01:06:39 UTC
> >>>>> dns:
ldap-ca-master.foo.EXAMPLE.com
> >>>>> principal name: HTTP/ldap-ca-master.foo.EXAMPLE.com(a)EXAMPLE.COM
> >>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>> pre-save command:
> >>>>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>> Request ID '20190927011037':
> >>>>> status: MONITORING
> >>>>> stuck: no
> >>>>> key pair storage:
> >>>>>
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> >>>>> Certificate DB',pin set
> >>>>> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> >>>>> Certificate DB'
> >>>>> CA: IPA
> >>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>> subject:
CN=ldap-ca-master.foo.example.com,O=EXAMPLE.COM
> >>>>> expires: 2021-09-27 01:10:38 UTC
> >>>>> dns:
ldap-ca-master.foo.EXAMPLE.com
> >>>>> principal name: ldap/ldap-ca-master.foo.example.com(a)EXAMPLE.COM
> >>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>> pre-save command:
> >>>>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
EXAMPLE.COM
> >>>>> track: yes
> >>>>> auto-renew: yes
> >>>>>
> >>>>> On Thu, Sep 26, 2019 at 2:52 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
> >>>>>>
> >>>>>> Satish Patel wrote:
> >>>>>>> Rob,
> >>>>>>>
> >>>>>>> I got your point and i will remove all Godaddy certs but
i wanted to
> >>>>>>> say one thing, if i look into ldap-ca-replica server
which is other
> >>>>>>> server i can see Server-Cert, is there a way i can sync
all these
> >>>>>>> replica cert with master and fix them ?
> >>>>>>
> >>>>>> These certs are master-specific. ldap-ca-replica is using
IPA-issued
> >>>>>> server certifiactes and the other is using Godaddy-issued
certificates.
> >>>>>>
> >>>>>> It's possible to issue certificates using the IPA CA to
replace these
> >>>>>> Godaddy certs but I guess I'd check to be sure
that's what you really
> >>>>>> want to do. Most people do this kind of replacement so they
don't need
> >>>>>> to distribute the IPA CA to non-IPA-enrolled systems so they
can do
> >>>>>> self-service management.
> >>>>>>
> >>>>>> Roughly speaking, you'd do something like this:
> >>>>>>
> >>>>>> # ipa-getcert request -d /etc/httpd/alias -n Server-Cert -K
> >>>>>> HTTP/<hostname> -C
/usr/libexec/ipa/certmonger/restart_httpd -D <hostname>
> >>>>>> # ipa-getcert request -d /etc/dirsrv/slapd-EXAMPLE-COM -n
Server-Cert -K
> >>>>>> ldap/<hostname> -C
"/usr/libexec/ipa/certmonger/restart_dirsrv
> >>>>>> EXAMPLE-COM" -D <hostname>
> >>>>>>
> >>>>>> That will issue the new certs and set them up for tracking.
> >>>>>>
> >>>>>> You can verify that they will work with:
> >>>>>>
> >>>>>> # certutil -V -u V -d <database> -n Server-Cert
> >>>>>>
> >>>>>> Both should return 'certificate is valid'
> >>>>>>
> >>>>>> If so then you can swap the config to use them. Edit
> >>>>>> /etc/httpd/conf.d/nss.conf and replace the NSSNickname value
with
> >>>>>> Server-Cert and restart httpd
> >>>>>>
> >>>>>> For 389-ds:
> >>>>>>
> >>>>>> # ldapmodify -x -D 'cn=directory manager' -W
> >>>>>> dn: cn=RSA,cn=encryption,cn=config
> >>>>>> changetype: modify
> >>>>>> replace: nsSSLPersonalitySSL
> >>>>>> nsSSLPersonalitySSL: Server-Cert
> >>>>>> <blank line>
> >>>>>> ^D
> >>>>>>
> >>>>>> Then restart 389-ds-base, or do both then run ipactl
restart
> >>>>>>
> >>>>>> The old certs will still exist in the NSS databases so you
can always
> >>>>>> switch them back if you need to.
> >>>>>>
> >>>>>> rob
> >>>>>>
> >>>>>>>
> >>>>>>> This is replica node output, look like replica is very
clean..
> >>>>>>>
> >>>>>>> [root@ldap-ca-replica ~]# getcert list
> >>>>>>> Number of certificates and requests being tracked: 10.
> >>>>>>> Request ID '20190918205044':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
type=NSSDB,location='/etc/ipa/nssdb',nickname='Local
> >>>>>>> IPA host',token='NSS Certificate
> >>>>>>> DB',pinfile='/etc/ipa/nssdb/pwdfile.txt'
> >>>>>>> certificate:
type=NSSDB,location='/etc/ipa/nssdb',nickname='Local IPA
> >>>>>>> host',token='NSS Certificate DB'
> >>>>>>> CA: IPA
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject:
CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>> expires: 2021-09-18 20:50:45 UTC
> >>>>>>> dns:
ldap-ca-replica.foo.EXAMPLE.com
> >>>>>>> principal name:
host/ldap-ca-replica.foo.EXAMPLE.com(a)EXAMPLE.COM
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>> pre-save command:
> >>>>>>> post-save command:
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205212':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> >>>>>>> Certificate
DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
> >>>>>>> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> >>>>>>> Certificate DB'
> >>>>>>> CA: IPA
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject:
CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>> expires: 2021-09-18 20:52:12 UTC
> >>>>>>> dns:
ldap-ca-replica.foo.EXAMPLE.com
> >>>>>>> principal name:
ldap/ldap-ca-replica.foo.EXAMPLE.com(a)EXAMPLE.COM
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>> pre-save command:
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205232':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >>>>>>> Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> >>>>>>> Certificate DB'
> >>>>>>> CA: IPA
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject:
CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>> expires: 2021-09-18 20:52:32 UTC
> >>>>>>> dns:
ldap-ca-replica.foo.EXAMPLE.com
> >>>>>>> principal name:
HTTP/ldap-ca-replica.foo.EXAMPLE.com(a)EXAMPLE.COM
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>> pre-save command:
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205418':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
type=FILE,location='/var/lib/ipa/ra-agent.key'
> >>>>>>> certificate:
type=FILE,location='/var/lib/ipa/ra-agent.pem'
> >>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject: CN=IPA
RA,O=EXAMPLE.COM
> >>>>>>> expires: 2020-11-17 18:31:36 UTC
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert_pre
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205431':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin
set
> >>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject: CN=CA
Audit,O=EXAMPLE.COM
> >>>>>>> expires: 2020-11-17 18:32:07 UTC
> >>>>>>> key usage: digitalSignature,nonRepudiation
> >>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>> "auditSigningCert cert-pki-ca"
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205432':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin
set
> >>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject: CN=OCSP
Subsystem,O=EXAMPLE.COM
> >>>>>>> expires: 2020-11-17 18:31:26 UTC
> >>>>>>> eku: id-kp-OCSPSigning
> >>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>> "ocspSigningCert cert-pki-ca"
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205433':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin
set
> >>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject: CN=CA
Subsystem,O=EXAMPLE.COM
> >>>>>>> expires: 2020-11-17 18:31:16 UTC
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>> "subsystemCert cert-pki-ca"
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205434':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin
set
> >>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> expires: 2037-01-05 14:47:24 UTC
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>> "caSigningCert cert-pki-ca"
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918205435':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
> >>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB',pin
set
> >>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>> cert-pki-ca',token='NSS Certificate DB'
> >>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>> subject:
CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>> expires: 2021-09-07 20:54:00 UTC
> >>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>> eku:
id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> >>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>> "Server-Cert cert-pki-ca"
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>> Request ID '20190918210008':
> >>>>>>> status: MONITORING
> >>>>>>> stuck: no
> >>>>>>> key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> >>>>>>> certificate:
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> >>>>>>> CA: SelfSign
> >>>>>>> issuer:
CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>> subject:
CN=ldap-ca-replica.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>> expires: 2020-09-18 21:00:08 UTC
> >>>>>>> principal name: krbtgt/EXAMPLE.COM(a)EXAMPLE.COM
> >>>>>>> certificate template/profile: KDCs_PKINIT_Certs
> >>>>>>> pre-save command:
> >>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_kdc_cert
> >>>>>>> track: yes
> >>>>>>> auto-renew: yes
> >>>>>>>
> >>>>>>> On Thu, Sep 26, 2019 at 1:35 PM Rob Crittenden
<rcritten(a)redhat.com> wrote:
> >>>>>>>>
> >>>>>>>> Satish Patel via FreeIPA-users wrote:
> >>>>>>>>> Rob,
> >>>>>>>>>
> >>>>>>>>> Here is the web certs
> >>>>>>>>>
> >>>>>>>>> [root@ldap-ca-master ~]# /usr/bin/certutil -d
/etc/httpd/alias -L
> >>>>>>>>>
> >>>>>>>>> Certificate Nickname
Trust Attributes
> >>>>>>>>>
SSL,S/MIME,JAR/XPI
> >>>>>>>>>
> >>>>>>>>>
EXAMPLE.COM IPA CA
CT,C,C
> >>>>>>>>> Godaddy
C,,
> >>>>>>>>> CN=*.foo.example.com,OU=Domain Control Validated
u,u,u
> >>>>>>>>> Signing-Cert
u,u,u
> >>>>>>>>> Godaddy Intermediate
C,,
> >>>>>>>>> ipaCert
u,u,u
> >>>>>>>>
> >>>>>>>> Ok, good. Also using a Godaddy cert.
> >>>>>>>>
> >>>>>>>>> Here is the fill output of getcert and i can see
some certs showing MONITORING
> >>>>>>>>
> >>>>>>>> Ok. I've annotated each cert you should stop
tracking. It looks like the
> >>>>>>>> CA subsystem certs are ok.
> >>>>>>>>
> >>>>>>>> You will need to watch the Godaddy certs yourself
and manually renew
> >>>>>>>> when the time comes. certmonger has no way to renew
those.
> >>>>>>>>
> >>>>>>>> To stop tracking these run: getcert stop-tracking -i
<request_id>
> >>>>>>>>
> >>>>>>>>>
> >>>>>>>>> [root@ldap-ca-master ~]# getcert list
> >>>>>>>>> Number of certificates and requests being
tracked: 13.
> >>>>>>>>> Request ID '20190915043246':
> >>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin
> >>>>>>>>> set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS
> >>>>>>>>> Certificate DB'
> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> subject: CN=Go Daddy Root Certificate Authority
-
G2,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> expires: 2037-12-31 23:59:59 UTC
> >>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> No need to track this one. You'd have no way of
renewing it anyway.
> >>>>>>>>
> >>>>>>>>> Request ID '20190915043304':
> >>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
> >>>>>>>>> Intermediate',pin set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
> >>>>>>>>> Intermediate',token='NSS Certificate
DB'
> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> subject: CN=Go Daddy Secure Certificate
Authority -
> >>>>>>>>>
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> expires: 2031-05-03 07:00:00 UTC
> >>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> No need to track this one.
> >>>>>>>>
> >>>>>>>>> Request ID '20190915045112':
> >>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA
> >>>>>>>>>
CA',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM
> >>>>>>>>> IPA CA',token='NSS Certificate DB'
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> expires: 2037-01-05 14:47:24 UTC
> >>>>>>>>> key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> You don't need to track the CA cert here.
> >>>>>>>>
> >>>>>>>>> Request ID '20190915045148':
> >>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS
> >>>>>>>>> Certificate DB'
> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> subject: CN=Go Daddy Root Certificate Authority
-
G2,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> expires: 2037-12-31 23:59:59 UTC
> >>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> Same, stop the tracking.
> >>>>>>>>
> >>>>>>>>> Request ID '20190915045156':
> >>>>>>>>> status: NEED_CA
> >>>>>>>>> stuck: yes
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
> >>>>>>>>> Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
> >>>>>>>>> Certificate DB'
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=Object Signing
Cert,O=EXAMPLE.COM
> >>>>>>>>> expires: 2021-01-05 14:49:59 UTC
> >>>>>>>>> key usage: digitalSignature,keyCertSign
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> This one too.
> >>>>>>>>
> >>>>>>>>> Request ID '20190915045206':
> >>>>>>>>> status: NEED_KEY_PAIR
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
> >>>>>>>>>
Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
> >>>>>>>>> Intermediate',token='NSS Certificate
DB'
> >>>>>>>>> issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> subject: CN=Go Daddy Secure Certificate
Authority -
> >>>>>>>>>
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> >>>>>>>>> Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>> expires: 2031-05-03 07:00:00 UTC
> >>>>>>>>> key usage: keyCertSign,cRLSign
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> And this, stop tracking.
> >>>>>>>>
> >>>>>>>>> Request ID '20190926141756':
> >>>>>>>>> status: MONITORING
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB',pin set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB'
> >>>>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=CA
Audit,O=EXAMPLE.COM
> >>>>>>>>> expires: 2020-11-17 18:32:07 UTC
> >>>>>>>>> key usage: digitalSignature,nonRepudiation
> >>>>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>>>> "auditSigningCert cert-pki-ca"
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>> Request ID '20190926141757':
> >>>>>>>>> status: MONITORING
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB',pin set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB'
> >>>>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=OCSP
Subsystem,O=EXAMPLE.COM
> >>>>>>>>> expires: 2020-11-17 18:31:26 UTC
> >>>>>>>>> eku: id-kp-OCSPSigning
> >>>>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>>>> "ocspSigningCert cert-pki-ca"
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>> Request ID '20190926141758':
> >>>>>>>>> status: MONITORING
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB',pin set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB'
> >>>>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=CA
Subsystem,O=EXAMPLE.COM
> >>>>>>>>> expires: 2020-11-17 18:31:16 UTC
> >>>>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>>>> "subsystemCert cert-pki-ca"
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>> Request ID '20190926141759':
> >>>>>>>>> status: MONITORING
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB',pin set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB'
> >>>>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> expires: 2037-01-05 14:47:24 UTC
> >>>>>>>>> key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>>>> "caSigningCert cert-pki-ca"
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>> Request ID '20190926141800':
> >>>>>>>>> status: MONITORING
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>>>>>> Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>>>>>> Certificate DB'
> >>>>>>>>> CA: dogtag-ipa-ca-renew-agent
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject: CN=IPA
RA,O=EXAMPLE.COM
> >>>>>>>>> expires: 2020-11-17 18:31:36 UTC
> >>>>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert_pre
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>> Request ID '20190926141801':
> >>>>>>>>> status: MONITORING
> >>>>>>>>> stuck: no
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB',pin set
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>>>> cert-pki-ca',token='NSS Certificate
DB'
> >>>>>>>>> CA: dogtag-ipa-renew-agent
> >>>>>>>>> issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>> subject:
CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>>>> expires: 2020-11-17 18:30:29 UTC
> >>>>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>> pre-save command:
/usr/libexec/ipa/certmonger/stop_pkicad
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert
> >>>>>>>>> "Server-Cert cert-pki-ca"
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>> Request ID '20190926141802':
> >>>>>>>>> status: CA_UNCONFIGURED
> >>>>>>>>> ca-error: Unable to determine principal name for
signing request.
> >>>>>>>>> stuck: yes
> >>>>>>>>> key pair storage:
> >>>>>>>>>
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS
> >>>>>>>>> Certificate
DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt'
> >>>>>>>>> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert'
> >>>>>>>>> CA: IPA
> >>>>>>>>> issuer:
> >>>>>>>>> subject:
> >>>>>>>>> expires: unknown
> >>>>>>>>> pre-save command:
> >>>>>>>>> post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM
> >>>>>>>>> track: yes
> >>>>>>>>> auto-renew: yes
> >>>>>>>>
> >>>>>>>> The tracking on this one is wrong and since you
don't have Server-Cert
> >>>>>>>> anyway, just stop tracking this one.
> >>>>>>>>
> >>>>>>>> rob
> >>>>>>>>>
> >>>>>>>>> On Thu, Sep 26, 2019 at 10:31 AM Rob Crittenden
<rcritten(a)redhat.com> wrote:
> >>>>>>>>>>
> >>>>>>>>>> Satish Patel wrote:
> >>>>>>>>>>> Addition to last email:
> >>>>>>>>>>>
> >>>>>>>>>>> I can't see Server-Cert here but
interesting thing i can see
> >>>>>>>>>>> Server-Cert in my CA replica node on
ldap-2 (why my primary
> >>>>>>>>>>> ldap-ca-master not showing that cert?)
> >>>>>>>>>>>
> >>>>>>>>>>> [root@ldap-ca-master ~]#
/usr/bin/certutil -d /etc/dirsrv/slapd-EXAMPLE-COM/ -L
> >>>>>>>>>>>
> >>>>>>>>>>> Certificate Nickname
Trust Attributes
> >>>>>>>>>>>
SSL,S/MIME,JAR/XPI
> >>>>>>>>>>>
> >>>>>>>>>>>
EXAMPLE.COM IPA CA
CT,C,C
> >>>>>>>>>>> Godaddy
C,,
> >>>>>>>>>>> CN=*.foo.example.com,OU=Domain Control
Validated u,u,u
> >>>>>>>>>>> Godaddy Intermediate
C,,
> >>>>>>>>>>
> >>>>>>>>>> At some point someone replaced the
IPA-signed LDAP certificate with one
> >>>>>>>>>> signed by GoDaddy (which is fine).
> >>>>>>>>>>
> >>>>>>>>>> It appears that the version of IPA
you're using (at least) doesn't
> >>>>>>>>>> handle this case.
> >>>>>>>>>>
> >>>>>>>>>> Now, fortunately it's one of the last
things done so this may be just fine.
> >>>>>>>>>>
> >>>>>>>>>> Can you see if your web server cert was also
replaced? The database is
> >>>>>>>>>> /etc/httpd/alias.
> >>>>>>>>>>
> >>>>>>>>>> Also, check your current tracking. The CA
subsystem certs should be
> >>>>>>>>>> properly tracked now. It is just the LDAP
and web certs that should not
> >>>>>>>>>> be (and if it is still using GoDaddy that is
fine).
> >>>>>>>>>>
> >>>>>>>>>> rob
> >>>>>>>>>>
> >>>>>>>>>>>
> >>>>>>>>>>> On Thu, Sep 26, 2019 at 10:22 AM Satish
Patel <satish.txt(a)gmail.com> wrote:
> >>>>>>>>>>>>
> >>>>>>>>>>>> Rob,
> >>>>>>>>>>>>
> >>>>>>>>>>>> now i got error and here is the
output, output was very long so i crop
> >>>>>>>>>>>> it down and here is the error
piece.
> >>>>>>>>>>>>
> >>>>>>>>>>>> ipa: INFO: [Upgrading CA schema]
> >>>>>>>>>>>> ipa.ipapython.ipaldap.SchemaCache:
DEBUG: flushing
> >>>>>>>>>>>>
ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket from SchemaCache
> >>>>>>>>>>>> ipa.ipapython.ipaldap.SchemaCache:
DEBUG: retrieving schema for
> >>>>>>>>>>>> SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-EXAMPLE-COM.socket
> >>>>>>>>>>>>
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x85bbf80>
> >>>>>>>>>>>> ipa.ipaserver.install.schemaupdate:
DEBUG: Processing schema LDIF file
> >>>>>>>>>>>>
/usr/share/pki/server/conf/schema-certProfile.ldif
> >>>>>>>>>>>> ipa.ipaserver.install.schemaupdate:
DEBUG: Processing schema LDIF file
> >>>>>>>>>>>>
/usr/share/pki/server/conf/schema-authority.ldif
> >>>>>>>>>>>> ipa.ipaserver.install.schemaupdate:
DEBUG: Not updating schema
> >>>>>>>>>>>> ipa: INFO: CA schema update complete
(no changes)
> >>>>>>>>>>>> ipa: INFO: [Verifying that CA audit
signing cert has 2 year validity]
> >>>>>>>>>>>>
ipa.ipaserver.install.cainstance.CAInstance: DEBUG:
> >>>>>>>>>>>> caSignedLogCert.cfg profile validity
range is 720
> >>>>>>>>>>>> ipa: INFO: [Update certmonger
certificate renewal configuration to version 5]
> >>>>>>>>>>>> ipa: DEBUG: Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
> >>>>>>>>>>>> ipa: DEBUG: Configuring certmonger
to stop tracking system certificates for CA
> >>>>>>>>>>>> Configuring certmonger to stop
tracking system certificates for CA
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
start messagebus.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
is-active messagebus.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=active
> >>>>>>>>>>>>
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
start certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
is-active certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=active
> >>>>>>>>>>>>
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl stop
certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
start certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
is-active certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=active
> >>>>>>>>>>>>
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
> >>>>>>>>>>>> ipa: DEBUG: Loading StateFile from
'/var/lib/ipa/sysupgrade/sysupgrade.state'
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
enable certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
start messagebus.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
is-active messagebus.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=active
> >>>>>>>>>>>>
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
start certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/bin/systemctl
is-active certmonger.service
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=0
> >>>>>>>>>>>> ipa: DEBUG: stdout=active
> >>>>>>>>>>>>
> >>>>>>>>>>>> ipa: DEBUG: stderr=
> >>>>>>>>>>>> ipa: DEBUG: Loading Index file from
'/var/lib/ipa/sysrestore/sysrestore.index'
> >>>>>>>>>>>> ipa: DEBUG: Starting external
process
> >>>>>>>>>>>> ipa: DEBUG: args=/usr/bin/certutil
-d /etc/dirsrv/slapd-EXAMPLE-COM -L
> >>>>>>>>>>>> -n Server-Cert -a
> >>>>>>>>>>>> ipa: DEBUG: Process finished, return
code=255
> >>>>>>>>>>>> ipa: DEBUG: stdout=
> >>>>>>>>>>>> ipa: DEBUG: stderr=certutil: Could
not find cert: Server-Cert
> >>>>>>>>>>>> : PR_FILE_NOT_FOUND_ERROR: File not
found
> >>>>>>>>>>>>
> >>>>>>>>>>>>
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: IPA
> >>>>>>>>>>>> server upgrade failed: Inspect
/var/log/ipaupgrade.log and run command
> >>>>>>>>>>>> ipa-server-upgrade manually.
> >>>>>>>>>>>>
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: File
> >>>>>>>>>>>>
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 171,
> >>>>>>>>>>>> in execute
> >>>>>>>>>>>> return_value = self.run()
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py",
> >>>>>>>>>>>> line 46, in run
> >>>>>>>>>>>> server.upgrade()
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >>>>>>>>>>>> line 1863, in upgrade
> >>>>>>>>>>>> upgrade_configuration()
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >>>>>>>>>>>> line 1769, in upgrade_configuration
> >>>>>>>>>>>> certificate_renewal_update(ca,
ds, http),
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py",
> >>>>>>>>>>>> line 1027, in
certificate_renewal_update
> >>>>>>>>>>>>
ds.start_tracking_certificates(serverid)
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/dsinstance.py",
> >>>>>>>>>>>> line 983, in
start_tracking_certificates
> >>>>>>>>>>>> 'restart_dirsrv %s' %
serverid)
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipaserver/install/certs.py",
> >>>>>>>>>>>> line 307, in track_server_cert
> >>>>>>>>>>>> nsscert =
x509.load_certificate(cert, dbdir=self.secdir)
> >>>>>>>>>>>> File
"/usr/lib/python2.7/site-packages/ipalib/x509.py", line 125, in
> >>>>>>>>>>>> load_certificate
> >>>>>>>>>>>> return
nss.Certificate(buffer(data)) # pylint: disable=buffer-builtin
> >>>>>>>>>>>>
> >>>>>>>>>>>>
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: DEBUG: The
> >>>>>>>>>>>> ipa-server-upgrade command failed,
exception: NSPRError:
> >>>>>>>>>>>> (SEC_ERROR_LIBRARY_FAILURE) security
library failure.
> >>>>>>>>>>>>
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR:
> >>>>>>>>>>>> Unexpected error - see
/var/log/ipaupgrade.log for details:
> >>>>>>>>>>>> NSPRError:
(SEC_ERROR_LIBRARY_FAILURE) security library failure.
> >>>>>>>>>>>>
ipa.ipaserver.install.ipa_server_upgrade.ServerUpgrade: ERROR: The
> >>>>>>>>>>>> ipa-server-upgrade command failed.
See /var/log/ipaupgrade.log for
> >>>>>>>>>>>> more information
> >>>>>>>>>>>>
> >>>>>>>>>>>> On Thu, Sep 26, 2019 at 9:39 AM Rob
Crittenden <rcritten(a)redhat.com> wrote:
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Satish Patel wrote:
> >>>>>>>>>>>>>> I am running
"ipa-server-4.4.0-14.el7.centos.4.x86_64"
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Ok, that explains what is
happening.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Edit
/var/lib/ipa/sysupgrade/sysupgrade.state and find the [dogtag]
> >>>>>>>>>>>>> section. Remove the entry for
certificate_renewal_update_5.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> This being present is preventing
the tracking to be repaired.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Then run ipa-server-upgrade
again and your tracking should be fixed.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> Use the -v flag for additional
debugging, not --debug, I was mistaken.
> >>>>>>>>>>>>>
> >>>>>>>>>>>>> rob
> >>>>>>>>>>>>>
> >>>>>>>>>>>>>>
> >>>>>>>>>>>>>> On Wed, Sep 25, 2019 at 5:13
PM Rob Crittenden <rcritten(a)redhat.com> wrote:
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Satish Patel via
FreeIPA-users wrote:
> >>>>>>>>>>>>>>>> I did run
"ipa-server-upgrade" and look like it was successful but
> >>>>>>>>>>>>>>>> still in getcert
list showing CA_NEED :(
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> Remind me what the
package version of IPA is. I'm confused by the
> >>>>>>>>>>>>>>> version 5 in the output
about renewal configuration.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> You might also want to
try running with --debug as depending on release
> >>>>>>>>>>>>>>> it will give more
information about this.
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>> rob
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> [root@ldap-ca-master
~]# ipa-server-upgrade
> >>>>>>>>>>>>>>>> Upgrading IPA:
> >>>>>>>>>>>>>>>> [1/10]: stopping
directory server
> >>>>>>>>>>>>>>>> [2/10]: saving
configuration
> >>>>>>>>>>>>>>>> [3/10]: disabling
listeners
> >>>>>>>>>>>>>>>> [4/10]: enabling
DS global lock
> >>>>>>>>>>>>>>>> [5/10]: starting
directory server
> >>>>>>>>>>>>>>>> [6/10]: updating
schema
> >>>>>>>>>>>>>>>> [7/10]: upgrading
server
> >>>>>>>>>>>>>>>> [8/10]: stopping
directory server
> >>>>>>>>>>>>>>>> [9/10]: restoring
configuration
> >>>>>>>>>>>>>>>> [10/10]: starting
directory server
> >>>>>>>>>>>>>>>> Done.
> >>>>>>>>>>>>>>>> Update complete
> >>>>>>>>>>>>>>>> Upgrading IPA
services
> >>>>>>>>>>>>>>>> Upgrading the
configuration of the IPA services
> >>>>>>>>>>>>>>>> [Verifying that root
certificate is published]
> >>>>>>>>>>>>>>>> [Migrate CRL publish
directory]
> >>>>>>>>>>>>>>>> CRL tree already
moved
> >>>>>>>>>>>>>>>>
/etc/dirsrv/slapd-EXAMPLE-COM/certmap.conf is now managed by IPA. It
> >>>>>>>>>>>>>>>> will be overwritten.
A backup of the original will be made.
> >>>>>>>>>>>>>>>> [Verifying that CA
proxy configuration is correct]
> >>>>>>>>>>>>>>>> [Verifying that KDC
configuration is using ipa-kdb backend]
> >>>>>>>>>>>>>>>> [Fix DS schema file
syntax]
> >>>>>>>>>>>>>>>> Syntax already
fixed
> >>>>>>>>>>>>>>>> [Removing RA cert
from DS NSS database]
> >>>>>>>>>>>>>>>> RA cert already
removed
> >>>>>>>>>>>>>>>> [Enable sidgen and
extdom plugins by default]
> >>>>>>>>>>>>>>>> [Updating HTTPD
service IPA configuration]
> >>>>>>>>>>>>>>>> [Updating mod_nss
protocol versions]
> >>>>>>>>>>>>>>>> Protocol versions
already updated
> >>>>>>>>>>>>>>>> [Updating mod_nss
cipher suite]
> >>>>>>>>>>>>>>>> [Fixing trust flags
in /etc/httpd/alias]
> >>>>>>>>>>>>>>>> Trust flags already
processed
> >>>>>>>>>>>>>>>> [Exporting KRA agent
PEM file]
> >>>>>>>>>>>>>>>> KRA is not enabled
> >>>>>>>>>>>>>>>> [Removing
self-signed CA]
> >>>>>>>>>>>>>>>> [Removing Dogtag 9
CA]
> >>>>>>>>>>>>>>>> [Checking for
deprecated KDC configuration files]
> >>>>>>>>>>>>>>>> [Checking for
deprecated backups of Samba configuration files]
> >>>>>>>>>>>>>>>> [Setting up Firefox
extension]
> >>>>>>>>>>>>>>>> [Add missing CA DNS
records]
> >>>>>>>>>>>>>>>> IPA CA DNS records
already processed
> >>>>>>>>>>>>>>>> [Removing deprecated
DNS configuration options]
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> [Ensuring minimal
number of connections]
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> [Enabling serial
autoincrement in DNS]
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> [Updating GSSAPI
configuration in DNS]
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> [Updating pid-file
configuration in DNS]
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> DNS is not
configured
> >>>>>>>>>>>>>>>> [Upgrading CA
schema]
> >>>>>>>>>>>>>>>> CA schema update
complete (no changes)
> >>>>>>>>>>>>>>>> [Verifying that CA
audit signing cert has 2 year validity]
> >>>>>>>>>>>>>>>> [Update certmonger
certificate renewal configuration to version 5]
> >>>>>>>>>>>>>>>> [Enable PKIX
certificate path discovery and validation]
> >>>>>>>>>>>>>>>> PKIX already
enabled
> >>>>>>>>>>>>>>>> [Authorizing RA
Agent to modify profiles]
> >>>>>>>>>>>>>>>> [Authorizing RA
Agent to manage lightweight CAs]
> >>>>>>>>>>>>>>>> [Ensuring
Lightweight CAs container exists in Dogtag database]
> >>>>>>>>>>>>>>>> [Adding default OCSP
URI configuration]
> >>>>>>>>>>>>>>>> [Ensuring CA is
using LDAPProfileSubsystem]
> >>>>>>>>>>>>>>>> [Migrating
certificate profiles to LDAP]
> >>>>>>>>>>>>>>>> [Ensuring presence
of included profiles]
> >>>>>>>>>>>>>>>> [Add default CA
ACL]
> >>>>>>>>>>>>>>>> Default CA ACL
already added
> >>>>>>>>>>>>>>>> [Set up lightweight
CA key retrieval]
> >>>>>>>>>>>>>>>> Creating principal
> >>>>>>>>>>>>>>>> Retrieving keytab
> >>>>>>>>>>>>>>>> Creating Custodia
keys
> >>>>>>>>>>>>>>>> Configuring key
retriever
> >>>>>>>>>>>>>>>> The IPA services
were upgraded
> >>>>>>>>>>>>>>>> The
ipa-server-upgrade command was successful
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> [root@ldap-ca-master
~]# getcert list | grep status
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>> status:
NEED_KEY_PAIR
> >>>>>>>>>>>>>>>> status:
NEED_KEY_PAIR
> >>>>>>>>>>>>>>>> status:
NEED_KEY_PAIR
> >>>>>>>>>>>>>>>> status:
NEED_KEY_PAIR
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>> status:
NEED_KEY_PAIR
> >>>>>>>>>>>>>>>> status: NEED_CA
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>> On Tue, Sep 24, 2019
at 3:55 AM Florence Blanc-Renaud <flo(a)redhat.com> wrote:
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> On 9/23/19 4:10
PM, Satish Patel via FreeIPA-users wrote:
> >>>>>>>>>>>>>>>>>> Thanks
Florence,
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> is it safe
to run "ipa-server-upgrade" ?
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>>> generally yes
:)
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> We had a few
tickets related to upgrade but they are mainly revealing
> >>>>>>>>>>>>>>>>> already present
issues (for instance because this CLI stops and starts
> >>>>>>>>>>>>>>>>> the services,
expired certs would prevent successful completion).
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> Do i need to
provide any option with "ipa-server-upgrade" command? i
> >>>>>>>>>>>>>>>>>> believe few
month back when i tried to do "ipa-server-upgrade" it
> >>>>>>>>>>>>>>>>>> broke some
stuff but anyway i will take snapshot of VM and try in
> >>>>>>>>>>>>>>>>>> worst case
scenario.
> >>>>>>>>>>>>>>>>> With the VM
snapshot you are on the safe side.
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>> flo
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>> On Mon, Sep
23, 2019 at 2:25 AM Florence Blanc-Renaud <flo(a)redhat.com> wrote:
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> On
9/21/19 7:41 PM, Satish Patel via FreeIPA-users wrote:
> >>>>>>>>>>>>>>>>>>>> Any
thought ?
> >>>>>>>>>>>>>>>>>>> Hi,
> >>>>>>>>>>>>>>>>>>> if you
run ipa-server-upgrade on this node, the command will fix the
> >>>>>>>>>>>>>>>>>>> tracking
of certs. You should see in the output;
> >>>>>>>>>>>>>>>>>>> [Update
certmonger certificate renewal configuration]
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>> HTH,
> >>>>>>>>>>>>>>>>>>> flo
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>> Sent
from my iPhone
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
On Sep 20, 2019, at 11:35 AM, Satish Patel <satish.txt(a)gmail.com> wrote:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Rob sorry, i trim my output thought not necessary but anyway here is
> >>>>>>>>>>>>>>>>>>>>>
the full list (ignore CAPS letter in output)
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
[root@ldap-ca-master ~]# getcert list
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Number of certificates and requests being tracked: 12.
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915042927':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2037-01-05 14:47:24 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915043150':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject:
CN=ldap-ca-master.foo.EXAMPLE.com,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2020-11-17 18:30:29 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915043212':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=OCSP
Subsystem,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2020-11-17 18:31:26 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
eku: id-kp-OCSPSigning
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915043224':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=CA
Audit,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2020-11-17 18:32:07 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,nonRepudiation
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915043237':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB',pin set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> >>>>>>>>>>>>>>>>>>>>>
cert-pki-ca',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=CA
Subsystem,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2020-11-17 18:31:16 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915043246':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_KEY_PAIR
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: no
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',pin
> >>>>>>>>>>>>>>>>>>>>>
set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy',token='NSS
> >>>>>>>>>>>>>>>>>>>>>
Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2037-12-31 23:59:59 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: keyCertSign,cRLSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915043304':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_KEY_PAIR
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: no
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
> >>>>>>>>>>>>>>>>>>>>>
Intermediate',pin set
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Godaddy
> >>>>>>>>>>>>>>>>>>>>>
Intermediate',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Go Daddy Secure Certificate Authority -
> >>>>>>>>>>>>>>>>>>>>>
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2031-05-03 07:00:00 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: keyCertSign,cRLSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915045112':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_KEY_PAIR
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: no
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM IPA
> >>>>>>>>>>>>>>>>>>>>>
CA',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
IPA CA',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2037-01-05 14:47:24 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915045148':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_KEY_PAIR
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: no
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy',token='NSS
> >>>>>>>>>>>>>>>>>>>>>
Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2037-12-31 23:59:59 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: keyCertSign,cRLSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915045156':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
> >>>>>>>>>>>>>>>>>>>>>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Signing-Cert',token='NSS
> >>>>>>>>>>>>>>>>>>>>>
Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Object Signing
Cert,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2021-01-05 14:49:59 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,keyCertSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915045206':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_KEY_PAIR
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: no
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
> >>>>>>>>>>>>>>>>>>>>>
Intermediate',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Godaddy
> >>>>>>>>>>>>>>>>>>>>>
Intermediate',token='NSS Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Go Daddy Root Certificate Authority -
G2,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=Go Daddy Secure Certificate Authority -
> >>>>>>>>>>>>>>>>>>>>>
G2,OU=http://certs.godaddy.com/repository/,O="GoDaddy.com,
> >>>>>>>>>>>>>>>>>>>>>
Inc.",L=Scottsdale,ST=Arizona,C=US
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2031-05-03 07:00:00 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: keyCertSign,cRLSign
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
Request ID '20190915045216':
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
status: NEED_CA
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
stuck: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key pair storage:
> >>>>>>>>>>>>>>>>>>>>>
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>>>>>>>>>>>>>>>>>>
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> >>>>>>>>>>>>>>>>>>>>>
Certificate DB'
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
subject: CN=IPA
RA,O=EXAMPLE.COM
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
expires: 2020-11-17 18:31:36 UTC
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
eku: id-kp-serverAuth,id-kp-clientAuth
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
pre-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
post-save command:
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
track: yes
> >>>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>>>
auto-renew: yes
> >>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>
On Fri, Sep 20, 2019 at 10:58 AM Rob Crittenden <rcritten(a)redhat.com> wrote:
>
>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>
Satish Patel via FreeIPA-users wrote:
>
>>>>>>>>>>>>>>>>>>>>>>>
Few days ago my Master CA was messed up and getcert list was showing
>
>>>>>>>>>>>>>>>>>>>>>>>
empty list (no cert to track)
>
>>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>>
So i run following command to add certs manually:
>
>>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>>
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
>
>>>>>>>>>>>>>>>>>>>>>>>
'ocspSigningCert cert-pki-ca' -P XXXXXXX
>
>>>>>>>>>>>>>>>>>>>>>>>
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n
>
>>>>>>>>>>>>>>>>>>>>>>>
'auditSigningCert cert-pki-ca' -P XXXXXXX
>
>>>>>>>>>>>>>>>>>>>>>>>
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'subsystemCert
>
>>>>>>>>>>>>>>>>>>>>>>>
cert-pki-ca' -P XXXXXXX
>
>>>>>>>>>>>>>>>>>>>>>>>
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy' -P XXXXXXX
>
>>>>>>>>>>>>>>>>>>>>>>>
getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'Godaddy
>
>>>>>>>>>>>>>>>>>>>>>>>
Intermediate' -P XXXXXXX
>
>>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>>
And after that i am seeing this status (status: NEED_CA ) it should
>
>>>>>>>>>>>>>>>>>>>>>>>
be MONITORING right?
>
>>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>>
# getcert list
>
>>>>>>>>>>>>>>>>>>>>>>>
Number of certificates and requests being tracked: 12.
>
>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>
You setup the tracking wrong. Your output only shows 3 certs and yet
>
>>>>>>>>>>>>>>>>>>>>>>
certmonger thinks it has 12. Where are the other 9?
>
>>>>>>>>>>>>>>>>>>>>>>
>
>>>>>>>>>>>>>>>>>>>>>>
rob
> >>>>>>>>>>>>>>>>>>>>
_______________________________________________
> >>>>>>>>>>>>>>>>>>>>
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >>>>>>>>>>>>>>>>>>>> To
unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> >>>>>>>>>>>>>>>>>>>>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>>>>>>>>>>>>>>>> List
Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>>>>>>>>>>>>>>>> List
Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>>
_______________________________________________
> >>>>>>>>>>>>>>>>>>
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> >>>>>>>>>>>>>>>>>> To
unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> >>>>>>>>>>>>>>>>>> Fedora Code
of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>>>>>>>>>>>>>> List
Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>>>>>>>>>>>>>> List
Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>>
_______________________________________________
> >>>>>>>>>>>>>>>> FreeIPA-users
mailing list -- freeipa-users(a)lists.fedorahosted.org
> >>>>>>>>>>>>>>>> To unsubscribe send
an email to freeipa-users-leave(a)lists.fedorahosted.org
> >>>>>>>>>>>>>>>> Fedora Code of
Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>>>>>>>>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>>>>>>>>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>>>>>>>>>>>>>>
> >>>>>>>>>>>>>>>
> >>>>>>>>>>>>>
> >>>>>>>>>>
> >>>>>>>>> _______________________________________________
> >>>>>>>>> FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
> >>>>>>>>> To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
> >>>>>>>>> Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> >>>>>>>>> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> >>>>>>>>> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >>>>>>>>>
> >>>>>>>>
> >>>>>>
> >>>>
> >>
> > _______________________________________________
> > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> > Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> > List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> > List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
> >
>