Got it!  A ‘ipa-getcert resubmit -I $Serial’ did it.  It’s now showing in the certutil as trusted.  Now to see if it will ipa-server-upgrade correctly.  Thanks!

Thanks,

Greg Harris

On Nov 22, 2022, at 4:26 PM, Greg Harris <gharris@teamexpansion.org> wrote:

I just discovered that ipa-certupdate is removing the 'Server-Cert cert-pki-ca’ from 'certutil -L -d /etc/pki/pki-tomcat/alias/‘ when the trust flags aren’t correct.  However, the new cert is still in 'getcert list’ as monitoring.  

I did a 'ipa-getcert request -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' -r -P $thePin’ after stop-tracking the old one.  It did create it as above, but the old one was still in certutil when I did that.

Thanks,

Greg Harris

On Nov 22, 2022, at 4:17 PM, Greg Harris <gharris@teamexpansion.org> wrote:

It’s 4.6.8-5.el7.centos.12.

Yes, it’s strange that it would disappear.  I believe that it renewed the certificate, but may not have updated correctly.  The first thing I found was that the certificate wasn’t there.  I was able to restore the .crt from the CS.cfg file, but that of course doesn’t have the key.  

I also could have inadvertently compounded problems with another series of commands.   Attempting to move to el9, I then found that I had to go through el8 the hard way, though that went sideways also for a different reason.  I wouldn’t expect that adding and removing servers during this time should have fouled up the cert database, but I’ve done weirder things to machines before.

Thanks,

Greg Harris

On Nov 22, 2022, at 4:08 PM, Rob Crittenden <rcritten@redhat.com> wrote:

Greg Harris wrote:
ARRRGGGHHHH!!!  ’Server-Cert cert-pki-ca’ is missing again.  Trying to
recover it from the /etc/pki/pki-tomcat/alias directory via pk12util is
not giving me the key, so that I can re-import it and get it trusted.
 The certutil -L command is showing a trust of ‘,,’, rather than ‘u,u,u’
because of the missing key.  At this point, I think that I need to
regenerate that certificate, import it, and then reset it to tracking
the new one again.  The piece I can’t seem to piece together is how to
generate that certificate.  (Yeah, it’s probably simple and I’m so deep
in that I can’t see it.)

What version of IPA is this?

It is unusual for a key to disappear.

rob


Thanks,

GH

On Feb 1, 2022, at 3:03 PM, Rob Crittenden <rcritten@redhat.com
<mailto:rcritten@redhat.com>> wrote:

GH via FreeIPA-users wrote:
The best I could tell was an upgrade back in Dec. 2019/Jan. 2020.  It
seems like it was a move from NSS to SSL for a number of pieces?
 Anyways, I'd had Ipsilon configured on the same server, and that
move didn't make things happy as there was a port overlap.
 (Unsupported configuration, I know.)  Lots of reconfiguration and
copying certs around to get it straightened out.  

Right now, everything starts on both servers.  However, on the
"secondary" that is not the renewal master, there's a number of
"certificate doesn't match the CS.cfg" errors.  
'ocspSigningCert cert-pki-ca'
'subsystemCert cert-pki-ca'
'Server-Cert cert-pki-ca'
'auditSigningCert cert-pki-ca'

Along with a:
"msg": "Incorrect NSS trust for Server-Cert cert-pki-ca. Got ,,
expected u,u,u",

The "primary", which is the renewal master listed on both boxes,
shows none of those errors.  At one point, I had figured out how to
"force sync" the certs, but I've since forgotten.


This means there is no associated private key with the certificate. The
"Server-Cert cert-pki-ca" certificate is used by tomcat and is unique
per installation. The others are common and need to be identical on
all CAs.

What does getcert list show?

rob