[Freeipa-users] Trying to renew the CA cert, but NEWLY_ADDED_NEED_KEYINFO_READ_PIN

Joshua J. Kugler joshua at azariah.com
Fri Jun 21 18:17:26 UTC 2013 

On Friday, June 21, 2013 09:30:12 Rob Crittenden wrote:
> Joshua J. Kugler wrote:
> > So, ongoing saga of a FreeIPA 2.x system with an expired cert for the CA
> > server:
> > 
> > ca-error: Server failed request, will retry: 907 (RPC failed at server.
> > cannot connect to
> > 'https://ipa0.lab.whamcloud.com:9443/ca/agent/ca/displayBySerial': [Errno
> > -8181] (SEC_ERROR_EXPIRED_CERTIFICATE) Peer's Certificate has expired.).
> I thought you said in a different thread that it wasn't the CA that was
> expired, but the tomcat cert.

According to our conversation in IRC (a while back) this indicates the Tomcat 
cert is expired. :)  The cert in /etc/ipa/ca.crt (which I assume is the actual 
CA cert) is good until 2019.  That was why I was trying to server the tomcat 
Server-Cert.

> > Any ideas how to get the CA cert renewed?
> > 
> > I know how to generate a CSR and a cert, but I'm not sure 1) how I would
> > add it into the cert DB, and 2) how I can add it without invalidating all
> > my other certs.

Sorry, I wasn't clear. Any idea how to renew the cert in /var/lib/pki-
ca/alias. (Server-Cert)

> certmonger in F-17 doesn't know how to renew the CA-related
> certificates. We fixed this in the IPA 3.1 timeframe. I'm not sure if
> the certmonger requires dogtag 10 for this feature or not, but it may.
> You'll want to upgrade to 3.1+ if you can.
> 
> So if it is just the tomcat cert that is expired, then for simplicity
> I'd set the time back on both systems (you'll need to kill ntp) to when
> the cert is valid and try that. I have the feeling you've already done
> this, but it is unclear what exactly you've tried.

Yes, I've tried setting the clock back, and that works to renew the service 
certs. But the cert for the Tomcat server was never added to certmonger for 
some reason, so it was never renewed, which means the service certs don't 
renew properly, which leads to our current need to get off this instance (along 
with the LDAP server dying after too many requests, but that's a separate 
issue).

j

-- 
Joshua J. Kugler - Fairbanks, Alaska
Azariah Enterprises - Programming and Website Design
joshua at azariah.com - Jabber: pedahzur at gmail.com
PGP Key: http://pgp.mit.edu/  ID 0x73B13B6A

More information about the Freeipa-users mailing list