On Fri, Feb 02, 2018 at 01:35:38PM +0100, Christof Schulze via FreeIPA-users wrote:
Hi,
Problem solved.
Just took the whole /etc/pki/pki-tomcat/alias folder from the backup. Added
permissions and selinux labels, and went back to Christmas.
Problem still there, renewal did not work:
ca-error: Invalid cookie: ''
From another (old) threat someone had a similar problem,
invalid cookie: '' and no "CA renewal master".
In the ldap my "first master" was the first master, but someone (me) forgot
when it was rebuild (cloned) from one of the other masters to promote it to
a "CA renewal master".
ipa config-show
...
IPA CA renewal master: idm1.XXXkd.fau.de
but
ca.crl.MasterCRL.enableCRLUpdates=false
ca.crl.MasterCRL.enableCRLCache=false
And even the certmonger didn't know about.
getcert list -d /var/lib/pki-ca/alias -n "subsystemCert cert-pki-ca" |
grep post-save
'restart_pkicad' and not 'renew_ca_cert' like it should for a CA
renewal
master.
So thanks to the Fraser's blog, I had been able find to fix the
configuration problem, restarted the pki-tomcatd,httpd and certmonger and
renewed all the expiring certificates.
Everything is working now again, weekend can come.
Glad we were able to help. I hope you had a nice, stress-free
weekend :)
Cheers,
Fraser
>
> Thanks for all the help
>
>
> On 02.02.2018 02:31, Fraser Tweedale wrote:
> > On Thu, Feb 01, 2018 at 10:39:00AM +0100, Christof Schulze via FreeIPA-users
wrote:
> > >
> > > pki-tomcatd does not start because the 'auditSigningCert
cert-pki-ca' is
> > > always invalid (expired or not valid now)
> > >
> > > Old one
> > > Not Before: Feb 9 12:01:11 2016 GMT
> > > Not After : Jan 29 12:01:11 2018 GMT
> > >
> > > New one
> > > Not Before: Jan 29 13:22:53 2018 GMT
> > > Not After : Jan 19 13:22:53 2020 GMT
> > >
> > > Can I just restore this certificate from an old backup and try to resubmit
> > > it long before it is expiring?
> > >
> > > Or do I have to do an ipa-restore from the old backup.
> > >
> > > This certificate is also already replicated to the replicas.
> > >
> > Sure. Backup the certificate and key using `pk12util' first. (Or
> > just make a copy the whole NSSDB) Then delete the certificate from
> > the NSSDB using `certutil -D`. (I think this will leave they key in
> > place). Then add the older certificate that will be valid according
> > to the system time. Then Dogtag should start, and you should be able
> > to continue recovering the system.
> >
> > HTH,
> > Fraser
>
> --
> Christof Schulze
>
> Institute of Materials Simulation (WW8)
> Department of Materials Science
> Friedrich-Alexander-University Erlangen-Nürnberg
> Dr.-Mack-Str. 77,
> 90762 Fürth, Germany
>
> Tel: 0911/65078-65069
> Email: christof.schulze(a)ww.uni-erlangen.de
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org