[Freeipa-users] Certificate renewal issues for dogtag GUI (9443/9444/9445 ports)
Endi Sukma Dewata
edewata at redhat.com
Fri Jun 5 20:19:51 UTC 2015
On 5/19/2015 3:54 AM, Thibaut Pouzet wrote:
> Hi,
>
> It appeared that the NSS DB had fips enabled due to the troubleshooting
> of an old problem :
>
> # modutil -dbdir /var/lib/pki-ca/alias/ -list
>
> Listing of PKCS #11 Modules
> -----------------------------------------------------------
> 1. NSS Internal FIPS PKCS #11 Module
> slots: 1 slot attached
> status: loaded
>
> slot: NSS FIPS 140-2 User Private Key Services
> token: NSS FIPS 140-2 Certificate DB
> -----------------------------------------------------------
>
> I disabled it : modutil -dbdir /var/lib/pki-ca/alias -fips false
>
> And no longer have the stack trace in the debug logs while re-sumbitting
> the certificate with certmonger.
>
> This is a first step in this certificate renewal, as I still cannot
> renew it, I have a new error :
> status: CA_UNREACHABLE
> ca-error: Error 60 connecting to
> https://ipa_server:9443/ca/agent/ca/profileReview: Peer certificate
> cannot be authenticated with known CA certificates.
>
> This looks like a chicken and egg problem, the certificate served on
> ipa_server:9443 is the one that needs to be renewed. I tried to step
> back in time when the certificate was still valid with no luck.
>
> So if anyone has an idea here...
>
> Cheers,
Hi,
Is this still a problem? Per discussion with Rob it doesn't seem to be
an issue with Dogtag itself.
I suppose you are following this instruction:
http://www.freeipa.org/page/Howto/CA_Certificate_Renewal
Could you post the full getcert list output? Also after you reset the
clock back and try the renewal again could you post the error messages
that you get?
Hopefully the IPA team will be able to troubleshoot further. Thanks.
--
Endi S. Dewata
More information about the Freeipa-users
mailing list