<div dir="ltr"><div>Looks like you need to get the PIN associated to the cert.<code><br><br> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/password.<wbr>conf
</code><br><br></div>Then replace <pin> with the PIN in the command above.<br> <br> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent</div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard <span dir="ltr"><<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div><div>I think my problem is deeper than that. I was following this guide:<a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers" target="_blank">http://www.freeipa.org/<wbr>page/Howto/CA_Certificate_<wbr>Renewal#Renew_CA_Certificate_<wbr>on_CA_Servers</a> and executed the commands related to having an external CA - which we do not have. I now get this message for the CA:<br><br>Request ID '20170101055025':<br> status: NEED_KEY_GEN_PIN<br> stuck: yes<br> key pair storage: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert cert-pki-ca',pin set<br> certificate: type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert cert-pki-ca'<br> CA: dogtag-ipa-ca-renew-agent<br> issuer:<br> subject:<br> expires: unknown<br> pre-save command:<br> post-save command:<br> track: yes<br> auto-renew: yes<br><br></div>Is there any way I can recover?<br><br></div>Jeff<br><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jeff Goddard wrote:<br>
> I've done this.<br>
> [root@id-management-1 ipa]# date<br>
> Sun Jan 1 01:12:27 EST 2017<br>
><br>
> getcert list give me this as the first entry:<br>
><br>
> Request ID '20150116162120':<br>
> status: CA_UNREACHABLE<br>
> ca-error: Server at<br>
> <a href="https://id-management-1.internal.emerlyn.com/ipa/xml" rel="noreferrer" target="_blank">https://id-management-1.intern<wbr>al.emerlyn.com/ipa/xml</a> failed request,<br>
> will retry: 4001 (RPC failed at server. ipa: Certificate Authority not<br>
> found).<br>
> stuck: no<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> certificate:<br>
> type=NSSDB,location='/etc/http<wbr>d/alias',nickname='Server-Cert<wbr>',token='NSS<br>
> Certificate DB'<br>
> CA: IPA<br>
> issuer: CN=Certificate Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.C<wbr>OM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> subject: CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.em<wbr>erlyn.com</a><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.intern<wbr>al.emerlyn.com</a>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.<wbr>EMERLYN.COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> expires: 2017-01-16 16:21:20 UTC<br>
> key usage:<br>
> digitalSignature,nonRepudiatio<wbr>n,keyEncipherment,dataEncipher<wbr>ment<br>
> eku: id-kp-serverAuth,id-kp-clientA<wbr>uth<br>
> pre-save command:<br>
> post-save command: /usr/lib64/ipa/certmonger/rest<wbr>art_httpd<br>
> track: yes<br>
> auto-renew: yes<br>
><br>
> Restarting cermonger multiple times doesn't help.<br>
<br>
Sorry, I missed a step. When you go back in time you first need to<br>
restart IPA. The CA isn't up.<br>
<br>
rob<br>
<br>
><br>
> Jeff<br>
><br>
><br>
><br>
><br>
> On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Jeff Goddard wrote:<br>
> > Flo,<br>
> ><br>
> > I'm not able to access the link you posted. I did find this thread<br>
> > though<br>
> ><br>
> <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archiv<wbr>es/freeipa-users/2015-June/<wbr>msg00144.html</a> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archiv<wbr>es/freeipa-users/2015-June/<wbr>msg00144.html</a>><br>
> ><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archi<wbr>ves/freeipa-users/2015-June/<wbr>msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/archi<wbr>ves/freeipa-users/2015-June/<wbr>msg00144.html</a>>><br>
> > and have set the time back and resubmitted a request. Still no<br>
> success.<br>
> > Any further hints?<br>
><br>
> You need to stop ntpd, go back in time to when the certs are valid and<br>
> restart the certmonger service.<br>
><br>
> Then use getcert list to monitor things. You really only care about the<br>
> CA subsystem certs are this point.<br>
><br>
> You may need to restart certmonger more than once to get all the certs<br>
> updated (you can manually call getcert resubmit -i <id> if you'd<br>
> prefer).<br>
><br>
> Once that is done return to present day, restart ntpd then ipactl<br>
> restart.<br>
><br>
> rob<br>
><br>
><br>
><br>
<span class="m_5542231483558015182HOEnZb"><font color="#888888">><br>
> --<br>
><br>
<br><span class="HOEnZb"><font color="#888888">
</font></span></font></span></blockquote></div><span class="HOEnZb"><font color="#888888"><br><br clear="all"><br>-- <br><div class="m_5542231483558015182gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><br></div></div>
</font></span></div></div>
<br>--<br>
Manage your subscription for the Freeipa-users mailing list:<br>
<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>Alan Heverley<br></div></div></div></div></div>
</div>