Update.
Thanks to the invaluable help of Florence. Truly terrific.
What we ended up doing.
Investigate why it happened. No idea. Check that certificates on the other CA are still valid. Check
Move CRL to the working CA. Check https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/htm...
Figure out the parameters to pass to getcert to start-tracking the 8 certificates. Check
Execute the following commands to start tracking the certificates.
getcert start-tracking -d /etc/httpd/alias -n "Server-Cert" -c IPA -p /etc/httpd/alias/pwdfile.txt -C '/usr/libexec/ipa/certmonger/restart_httpd' getcert start-tracking -d /etc/dirsrv/slapd-UNI-LU -n "Server-Cert" -c IPA -p /etc/dirsrv/slapd-UNI-LU/pwdfile.txt -C '/usr/libexec/ipa/certmonger/restart_dirsrv UNI-LU’
Figure out Pin for hidden Pin entry
grep internal /etc/pki/pki-tomcat/password.conf
Run the commands by pvodiing pin on CLI getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" -c dogtag-ipa-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca”'
Realize a helper command was missing. Add it.
getcert add-ca -c dogtag-ipa-ca-renew-agent -e /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit
Add the remaining certificates
getcert start-tracking -d /etc/httpd/alias -n "ipaCert" -c dogtag-ipa-ca-renew-agent -p /etc/httpd/alias/pwdfile.txt -B '/usr/libexec/ipa/certmonger/renew_ra_cert_pre' -C '/usr/libexec/ipa/certmonger/renew_ra_cert' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"' getcert start-tracking -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" -c dogtag-ipa-ca-renew-agent -P <pin code> -B '/usr/libexec/ipa/certmonger/stop_pkicad' -C '/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"'
Check that the certificates match the other CA.
getcert list
Check that all are Monitoring.
[root@toto2 ~]# getcert list | grep MONITORING | wc -l 8
Check that Serials match between the two CA servers.
certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | grep Serial certutil -L -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" | grep Serial
The other 3 are supposed to be different.
After that, we move the CRL back to the original server, and assume everything is Ok.
If anybody has any comments on this process, please do let the community know as I hope im not the only one with this problem.
Kind regards, Christophe
--
Dr Christophe Trefois, Dipl.-Ing. Technical Specialist / Post-Doc
UNIVERSITÉ DU LUXEMBOURG
LUXEMBOURG CENTRE FOR SYSTEMS BIOMEDICINE Campus Belval | House of Biomedicine 6, avenue du Swing L-4367 Belvaux T: +352 46 66 44 6124 F: +352 46 66 44 6949 http://www.uni.lu/lcsb
[Facebook]https://www.facebook.com/trefex [Twitter] https://twitter.com/Trefex [Google Plus] https://plus.google.com/+ChristopheTrefois/ [Linkedin] https://www.linkedin.com/in/trefoischristophe [skype] http://skype:Trefex?call
---- This message is confidential and may contain privileged information. It is intended for the named recipient only. If you receive it in error please notify me and permanently delete the original message and any copies. ----
On 18 May 2017, at 23:27, Christophe TREFOIS <christophe.trefois@uni.lumailto:christophe.trefois@uni.lu> wrote:
Hi,
I just saw that my CA CRL master is not tracking any certs.
However, my other CA master replica is tracking 8 certificates.
Is this normal and expected?
Thanks, Christophe
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
freeipa-users@lists.fedorahosted.org