[Freeipa-users] Trying to renew the CA cert, but NEWLY_ADDED_NEED_KEYINFO_READ_PIN
Joshua J. Kugler
joshua at azariah.com
Fri Jun 21 00:11:52 UTC 2013
So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
server:
ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot
connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial':
[Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).
Figured out that it uses the certs in /var/lib/pki-ca/alias.
Per
https://docs.fedoraproject.org/en%2dUS/Fedora/15/html/FreeIPA_Guide/certmonger%2dtracking%2dcerts.html
I tried adding it to cert monger:
# ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n
Server-Cert -r
New tracking request "CAServerCert" added.
But ipa-getcert list now tells me:
Request ID 'CAServerCert':
status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
stuck: yes
key pair storage: type=NSSDB,location='/var/lib/pki-
ca/alias',nickname='Server-Cert'
certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-
Cert'
CA: IPA
issuer:
subject:
expires: unknown
track: yes
auto-renew: yes
Okie dokie...where might I be able to find the PIN for the cert? I see that
the certs for httpd and slapd have a path to a pinfile, but I can't find
anything like that for the CA cert. I'm quite stuck. This expired cert, I'm
pretty sure, is what is preventing me from using this machine to migrate to a
new 3.0 machine (via replication).
Any ideas how to get the CA cert renewed?
I know how to generate a CSR and a cert, but I'm not sure 1) how I would add
it into the cert DB, and 2) how I can add it without invalidating all my other
certs.
Any help would be fantastic!
j
--
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
joshua at azariah.com - Jabber: pedahzur at gmail.com
PGP Key: http://pgp.mit.edu/ ID 0x73B13B6A
More information about the Freeipa-users
mailing list