[Freeipa-users] Trying to renew the CA cert, but NEWLY_ADDED_NEED_KEYINFO_READ_PIN
Rob Crittenden
rcritten at redhat.com
Fri Jun 21 13:30:12 UTC 2013
Joshua J. Kugler wrote:
> So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
> server:
>
> ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot
> connect to 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial':
> [Errno -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).
>
I thought you said in a different thread that it wasn't the CA that was
expired, but the tomcat cert.
> Figured out that it uses the certs in /var/lib/pki-ca/alias.
>
> Per
>
> https://docs.fedoraproject.org/en%2dUS/Fedora/15/html/FreeIPA_Guide/certmonger%2dtracking%2dcerts.html
>
> I tried adding it to cert monger:
>
> # ipa-getcert start-tracking -I CAServerCert -d /var/lib/pki-ca/alias/ -n
> Server-Cert -r
> New tracking request "CAServerCert" added.
>
> But ipa-getcert list now tells me:
>
> Request ID 'CAServerCert':
> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN
> stuck: yes
> key pair storage: type=NSSDB,location='/var/lib/pki-
> ca/alias',nickname='Server-Cert'
> certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-
> Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> track: yes
> auto-renew: yes
>
> Okie dokie...where might I be able to find the PIN for the cert? I see that
> the certs for httpd and slapd have a path to a pinfile, but I can't find
> anything like that for the CA cert. I'm quite stuck. This expired cert, I'm
> pretty sure, is what is preventing me from using this machine to migrate to a
> new 3.0 machine (via replication).
>
> Any ideas how to get the CA cert renewed?
>
> I know how to generate a CSR and a cert, but I'm not sure 1) how I would add
> it into the cert DB, and 2) how I can add it without invalidating all my other
> certs.
certmonger in F-17 doesn't know how to renew the CA-related
certificates. We fixed this in the IPA 3.1 timeframe. I'm not sure if
the certmonger requires dogtag 10 for this feature or not, but it may.
You'll want to upgrade to 3.1+ if you can.
So if it is just the tomcat cert that is expired, then for simplicity
I'd set the time back on both systems (you'll need to kill ntp) to when
the cert is valid and try that. I have the feeling you've already done
this, but it is unclear what exactly you've tried.
rob
More information about the Freeipa-users
mailing list