On Mon, 2019-05-06 at 19:57 +0000, Timothy Geier via FreeIPA-users
wrote:
Hello all,
After going through rather nasty cert renewal issues ~2 years ago, I
made sure to watch the next round of renewals very
closely. Fortunately, just about everything renewed on schedule and
automatically (a few certs needed the fix at
https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-auth...
due to Invalid cookie: '' errors, though).
The only remaining issue is with one cert that's showing the
following:
Request ID '20170609034302':
status: MONITORING
ca-error: Server at "http://$SERVER:8080/ca/ee/ca/profileSubmit" \
replied: Certificate serial number {0} to be renewed is revoked. \
Cannot renew a revoked certificate
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias', \
nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias', \
nickname='Server-Cert cert-pki-ca', \
token='NSS Certificate DB'
<snip>
Said server is a CA replica and this cert has fortunately not yet
expired (it has until about the end of the month)..after digging
into it some more, I found the cert in the web interface where
Revocation reason 4
was listed. That indicates that it was superseded (according to RFC
5280) but I don't know when or why this cert was revoked.
Do I just need to use ipa-getcert request on 'Server-Cert cert-pki-
ca'
in /etc/pki/pki-tomcat/alias to create/install a new cert or is there
something else that should be done here?
It turns out that that was the solution, but it wasn't quite that
straightforward. First, I had to stop tracking the troublesome cert:
# ipa-getcert stop-tracking -i 20170609034302
Then I could request a new one:
# ipa-getcert request -d /etc/pki/pki-tomcat/alias -n 'Server-Cert
cert-pki-ca' -r
However, it was stuck with
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
After some searching on this list, I found a similar issue..in this
case, the PIN can be found by running:
# grep internal /etc/pki/pki-tomcat/password.conf
The request can then be resubmitted:
# ipa-getcert resubmit -i $request_id -P $PIN
And now this cert is good for another 2 years.
Thanks,
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...