On 2020-11-03 2:30 p.m., Rob Crittenden
via FreeIPA-users wrote:
I'd suggest stopping certmonger and looking for the actual request file
in /var/lib/certmonger/request (grep for id=<request id>).
Make sure that the value in key_pin matches the value in
/etc/pki/pki-tomcat/alias/pwdfile.txt
Even if they were expired, shouldn't the others show up in the
list? And of course, that date is rolled back so they shouldn't be
expired...
More details and a summary of the state of things:
restarting certmonger and/or resubmitting certs does not cause
certmonger to throw any errors; pki-tomcatd has too messages when it
starts that don't stop it from starting: usr/share/pki/scripts/config: line 41: break: only
meaningful in a `for', `while', or `until' loop cat: /usr/share/tomcat/conf/catalina.policy: No such file
or directory
Nothing shows up with respect to the renewals shows up in
/var/log/ipa/renew.log even when I modified the ca with
'dogtag-ipa-ca-renew-agent-submit -vv'
There are a couple of things: ipalib.plugable DEBUG ipaserver.plugins.virtual is not a
valid plugin module ipalib.plugable DEBUG ipaserver.plugins.sudo is not a
valid plugin module
If there are other errors elsewhere, I'm not sure where to look.
The passwords in /etc/pki/pki-tomcat/alias/pwdfile.txt (PIN1) and
/var/lib/ipa/passwds/ipa01.mydomain.com-443-RSA (PIN2) are not
the same. A third (different) password is in
/etc/dirsrv/slapd-MYREALM-COM/pwdfile.txt (PIN3). Notes about
key_pin and key_pin_file are from the individual request files in
/var/lib/certmonger/requests/
These certs are now fine:
type=FILE,location='/var/lib/ipa/ra-agent.pem' (no PIN in
request)
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' (request uses PIN1)
type=NSSDB,location='/etc/dirsrv/slapd-MYREALM-COM',nickname='Server-Cert',token='NSS
Certificate DB' (PIN3)
type=FILE,location='/var/lib/krb5kdc/kdc.crt'