[Freeipa-users] Subsystem certs not renewed
Rob Crittenden
rcritten at redhat.com
Mon Oct 14 15:01:14 UTC 2013
Federico Nebiolo wrote:
> Dear IPA users,
>
> My IPA 3.0 installation on CentOS 6.4 (coming from a 2.2 upgrade)
> suddenly stopped working for the CA part.
> I'm not sure this is the root of all the issues, but subsystem
> certificates was expired and not renewed: getcert list gives a similar
> output for all of them, and I don't know how to proceed.
>
> []# getcert list -c dogtag-ipa-renew-agent
>
> Request ID '20130902075915':
> status: MONITORING
> ca-error: No end-entity URL (-E) given, and no default known.
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=XXXX
> subject: CN=RA Subsystem,O=XXXX
> expires: 2013-10-11 07:44:12 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
> Do you have any hints on how to solve?
Try adding a host=<fqdn> to the [global] section in
/etc/ipa/default.conf where host is the fqdn of your IPA master.
I think you'll need to temporarily go back in time to the 11th for the
renewal to succeed.
You can force certmonger to try the renewal again with:
# getcert resubmit -i 20130902075915
You'll want to do this for all certs affected by this.
If this works please let us know and we'll make sure that host exists in
default.conf when upgrades happen.
rob
More information about the Freeipa-users
mailing list