[Freeipa-users] Certificate system unavailable

[Rob Crittenden]

Lucas Yamanishi wrote:
> Hello, I'm a bit of a pickle with the PKI system.  I have three
> replicas, but only one contains the CA.  I realize how poor a decision
> it was to do that.  I plan to create more complete replicas, but right
> now I can't even create a replica file, much less a full replica.
> 
> The problem started when the CA subsystem certificates expired.  I read
> several threads explaining how to roll back time and renew them, but I
> then discovered that the host and HTTP certificates for the server were
> missing.  I checked for backups, but we erroneously did not cover those
> files.  Because they are missing I was unable to rewnew any certificates.
> 
> Is there a way to manually create host and service certificates?  When I
> search for this, the "manual" procedure listed in the documentation
> requires `ipa cert-request` which does not work.  I did try installing a
> self-signed cert for HTTP with `ipa-server-certinstall`.  That changed
> the errors, but the commands still fail.  The pki-ca services is running
> OK, as far as I can tell.
> 
> I also tried adding a CA instance to one of the other replicas with
> `ipa-ca-install`, but it failed during the configuration phase.

The subsystem certificate renewal should be independent of the web (and
host) certificates. I'd focus on getting the CA back up, then we can see
about getting a new web server certificate.

Can you share the output of: getcert list

You'll probably want to obfuscate the output as it contains the PIN to
the private key database of the CA.

rob