<div dir="ltr"><div>I've followed the instructions related to my error here: <a href="http://www.freeipa.org/page/Troubleshooting#PKI_Issues">http://www.freeipa.org/page/Troubleshooting#PKI_Issues</a> but I still haven't found a solution.<br><br></div>Jeff<br><div><div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <span dir="ltr"><<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div><div>Alan,<br><br></div>Thank you so VERY much. That resolved the issue for the CA signing certificate. However I'm still seeing <br><br>        ca-error: Server at "<a href="https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com:8443/ca/<wbr>agent/ca/profileProcess</a>" replied: 1: Invalid Credential.<br><br></div>On multiple requests which have expiration dates in the past. Is there something else I need to do?<br><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <span dir="ltr"><<a href="mailto:aheverle@redhat.com" target="_blank">aheverle@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Looks like you need to get the PIN associated to the cert.<code><br><br> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/p<wbr>assword.conf
</code><br><br></div>Then replace <pin> with the PIN in the command above.<br> <br> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <span dir="ltr"><<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div><div>I think my problem is deeper than that. I was following this guide:<a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers" target="_blank">http://www.freeipa.org/p<wbr>age/Howto/CA_Certificate_Renew<wbr>al#Renew_CA_Certificate_on_CA_<wbr>Servers</a> and executed the commands related to having an external CA - which we do not have. I now get this message for the CA:<br><br>Request ID '20170101055025':<br>        status: NEED_KEY_GEN_PIN<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca',pin set<br>        certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='ca<wbr>SigningCert cert-pki-ca'<br>        CA: dogtag-ipa-ca-renew-agent<br>        issuer:<br>        subject:<br>        expires: unknown<br>        pre-save command:<br>        post-save command:<br>        track: yes<br>        auto-renew: yes<br><br></div>Is there any way I can recover?<br><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Jeff Goddard wrote:<br>
> I've done this.<br>
> [root@id-management-1 ipa]# date<br>
> Sun Jan  1 01:12:27 EST 2017<br>
><br>
>  getcert list give me this as the first entry:<br>
><br>
> Request ID '20150116162120':<br>
>         status: CA_UNREACHABLE<br>
>         ca-error: Server at<br>
> <a href="https://id-management-1.internal.emerlyn.com/ipa/xml" rel="noreferrer" target="_blank">https://id-management-1.intern<wbr>al.emerlyn.com/ipa/xml</a> failed request,<br>
> will retry: 4001 (RPC failed at server.  ipa: Certificate Authority not<br>
> found).<br>
>         stuck: no<br>
>         key pair storage:<br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
>         certificate:<br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> Certificate DB'<br>
>         CA: IPA<br>
>         issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
>         subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.em<wbr>erlyn.com</a><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EME<wbr>RLYN.COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
>         expires: 2017-01-16 16:21:20 UTC<br>
>         key usage:<br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
>         eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
>         pre-save command:<br>
>         post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
>         track: yes<br>
>         auto-renew: yes<br>
><br>
> Restarting cermonger multiple times doesn't help.<br>
<br>
Sorry, I missed a step. When you go back in time you first need to<br>
restart IPA. The CA isn't up.<br>
<br>
rob<br>
<br>
><br>
> Jeff<br>
><br>
><br>
><br>
><br>
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
><br>
>     Jeff Goddard wrote:<br>
>     > Flo,<br>
>     ><br>
>     > I'm not able to access the link you posted. I did find this thread<br>
>     > though<br>
>     ><br>
>     <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archiv<wbr>es/freeipa-users/2015-June/msg<wbr>00144.html</a> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archiv<wbr>es/freeipa-users/2015-June/msg<wbr>00144.html</a>><br>
>     ><br>
>     <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archi<wbr>ves/freeipa-users/2015-June/ms<wbr>g00144.html</a><br>
>     <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archi<wbr>ves/freeipa-users/2015-June/ms<wbr>g00144.html</a>>><br>
>     > and have set the time back and resubmitted a request. Still no<br>
>     success.<br>
>     > Any further hints?<br>
><br>
>     You need to stop ntpd, go back in time to when the certs are valid and<br>
>     restart the certmonger service.<br>
><br>
>     Then use getcert list to monitor things. You really only care about the<br>
>     CA subsystem certs are this point.<br>
><br>
>     You may need to restart certmonger more than once to get all the certs<br>
>     updated (you can manually call getcert resubmit -i <id> if you'd<br>
>     prefer).<br>
><br>
>     Once that is done return to present day, restart ntpd then ipactl<br>
>     restart.<br>
><br>
>     rob<br>
><br>
><br>
><br>
<span class="gmail-m_-1655637140588152324m_-1030805166120333311m_5542231483558015182HOEnZb"><font color="#888888">><br>
> --<br>
><br>
<br><span class="gmail-m_-1655637140588152324m_-1030805166120333311HOEnZb"><font color="#888888">
</font></span></font></span></blockquote></div><span class="gmail-m_-1655637140588152324m_-1030805166120333311HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div class="gmail-m_-1655637140588152324m_-1030805166120333311m_5542231483558015182gmail_signature"><div dir="ltr"><div><br></div><br></div></div><span class="gmail-m_-1655637140588152324HOEnZb"><font color="#888888">
</font></span></font></span></div></div><span class="gmail-m_-1655637140588152324HOEnZb"><font color="#888888">
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/mailman<wbr>/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></font></span></blockquote></div><span class="gmail-m_-1655637140588152324HOEnZb"><font color="#888888"><br><br clear="all"><span class="gmail-HOEnZb"><font color="#888888"><br>-- <br><div class="gmail-m_-1655637140588152324m_-1030805166120333311gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Alan Heverley<br></div></div></div></div></div>
</font></span></font></span></div><span class="gmail-HOEnZb"><font color="#888888">
</font></span></blockquote></div><span class="gmail-HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div class="gmail-m_-1655637140588152324gmail_signature"><div dir="ltr"><br></div></div>
</font></span></div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature"><div dir="ltr"><div><div><div>Jeff Goddard<br></div><br></div></div><br></div></div>
</div></div></div></div>