Juan Pablo Lorier via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> writes:
Hi Rob,
All dates are good once I add the pin manually. The only problem is
the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run
the updater. I don’t know what is not right with the certs. Maybe you
can point me in a direction to look at the logs. Let me share the
getcert list once I manually fixed the pin:
Can you perhaps compare the requests for one certificate before and
after the upgrade? The requests are stored in
/var/lib/certmonger/requests. Let's focus on one certificate first,
for example:
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca'
I'd try something like that:
- save /var/lib/certmonger/requests somewhere
- try the upgrade once again
- save /var/lib/certmonger/requests again, somwhere else
- compare and see what the differences really are
Depending on the differences - and needs some creative thinking:
- reset the system to the state before the upgrade
- stop certmonger
- replace /var/lib/certmonger/requests with the second copy (from after
the upgrade)
- We need to get certmonger and ipa-server-upgrade be happy with these
requests, so the request don't get changed during the next upgrade.
I've had a look at the logs of the last ipaupgrade.log. For each
certificcate I see:
2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal
configuration]
...
2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration
already up-to-date
I guess the second line for you says something like "...config
updated". We need to see, if the lines between have some clues for us.
In a post upthread you posted the console output:
Missing or incorrect tracking request for certificates:
/etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca
/etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca
/etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca
Certmonger certificate renewal configuration updated
Also upthread you posted:
>>>> 2022-11-30T16:07:49Z DEBUG Profile
'ECAdminCert' is already in LDAP and
>>>> enabled; skipping
>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert'
>>>> 2022-11-30T16:07:49Z DEBUG request GET
>>>>
https://dc2.tnu.com.uy:8443/ca/rest/account/login
>>>> 2022-11-30T16:07:49Z DEBUG request body ''
>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed:
>>>> Traceback (most recent call last):
>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py",
line
In my upgrade log this is after updating/checing the certmonger
requests. So my guess is there's something strange with your
configuration in /var/lib/certmonger/requests.
So, can you provide more of your ipaupgrade.log where the certmonger
requests are checked/updated and one request before/after?
Jochen
--
This space is intentionally left blank.