I have similar problems as the ones described in
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
My IPA setup has 2 masters, both running Centos7.6.
Today I got notified by Nagios that there were issues with my second
server, ipa2.
Checking ipactl I noticed that nothing much was running. ipactl start
brought up a message that an upgrade was required (I apparently got an
ipa update yesterday that I installed). The upgrade failed.
Checking my certifcates with getcert list gave me:
.
.
.
Request ID '20181001154055':
status: MONITORING
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-
tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-
tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate
DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=HOME.FAZANT.NET
subject:
CN=ipa2.home.fazant.net,O=HOME.FAZANT.NET
expires: 2019-04-25 21:33:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181001154056':
so I reset the date to Mar 20 and did a resubmit for the certificate,
that failed (as in the submission went ok, but the cert did not get
renewed)
Checking Flo's blog:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
and
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
made me execute:
[root@ipa2 ~]# certutil -d /etc/pki/pki-tomcat/alias -L
Certificate Nickname Trust
Attributes
SSL,S/MIME
,JAR/XPI
ocspSigningCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
subsystemCert cert-pki-ca u,u,u
caSigningCert cert-pki-ca CTu,Cu,Cu
[root@ipa2 ~]#
and
#!/bin/bash
for i in $(certutil -d /etc/pki/pki-tomcat/alias -L | grep cert-pki |
awk '{print $1}') ; do
certutil -d /etc/pki/pki-tomcat/alias -K -f /tmp/pwdfile.txt -n
"$i cert-pki-ca";
done
which resulted in:
root@ipa2 ~]# bash /root/ss
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
certutil: problem listing keys: SEC_ERROR_UNRECOGNIZED_OID:
Unrecognized Object Identifier.
certutil: Checking token "NSS Certificate DB" in slot "NSS User Private
Key and Certificate Services"
< 0> rsa 4286ed93407806ec2727e6244cc3959ec726265e caSigningCert
cert-pki-ca
To answer Frazer's question in the follow up to the mail from last
year: no pki-tomcat is non functional, I do have my second server
though.
Certutil -L gives me:
[root@ipa2 ~]# certutil -L 'ocspSigningCert cert-pki-ca'
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
Any help getting this issue resolved would be much appreciated.
kind regards, Louis