ARRRGGGHHHH!!! ’Server-Cert cert-pki-ca’ is missing again. Trying to recover it from the
/etc/pki/pki-tomcat/alias directory via pk12util is not giving me the key, so that I can
re-import it and get it trusted. The certutil -L command is showing a trust of ‘,,’,
rather than ‘u,u,u’ because of the missing key. At this point, I think that I need to
regenerate that certificate, import it, and then reset it to tracking the new one again.
The piece I can’t seem to piece together is how to generate that certificate. (Yeah, it’s
probably simple and I’m so deep in that I can’t see it.)
Thanks,
GH
On Feb 1, 2022, at 3:03 PM, Rob Crittenden
<rcritten@redhat.com<mailto:rcritten@redhat.com>> wrote:
GH via FreeIPA-users wrote:
The best I could tell was an upgrade back in Dec. 2019/Jan. 2020. It seems like it was a
move from NSS to SSL for a number of pieces? Anyways, I'd had Ipsilon configured on
the same server, and that move didn't make things happy as there was a port overlap.
(Unsupported configuration, I know.) Lots of reconfiguration and copying certs around to
get it straightened out.
Right now, everything starts on both servers. However, on the "secondary" that
is not the renewal master, there's a number of "certificate doesn't match the
CS.cfg" errors.
'ocspSigningCert cert-pki-ca'
'subsystemCert cert-pki-ca'
'Server-Cert cert-pki-ca'
'auditSigningCert cert-pki-ca'
Along with a:
"msg": "Incorrect NSS trust for Server-Cert cert-pki-ca. Got ,, expected
u,u,u",
The "primary", which is the renewal master listed on both boxes, shows none of
those errors. At one point, I had figured out how to "force sync" the certs,
but I've since forgotten.
This means there is no associated private key with the certificate. The
"Server-Cert cert-pki-ca" certificate is used by tomcat and is unique
per installation. The others are common and need to be identical on all CAs.
What does getcert list show?
rob