[Freeipa-users] Impossible to renew certificate. pki-tomcat issue
Martin Babinsky
mbabinsk at redhat.com
Wed Oct 19 06:45:49 UTC 2016
On 10/18/2016 11:22 PM, Bertrand Rétif wrote:
> Hello,
>
> I had an issue with pki-tomcat.
> I had serveral certificate that was expired and pki-tomcat did not start
> anymore.
>
> I set the dateon the server before certificate expiration and then
> pki-tomcat starts properly.
> Then I try to resubmit the certificate, but I get below error:
> "Profile caServerCert Not Found"
>
> Do you have any idea how I could fix this issue.
>
> Please find below output of commands:
>
>
> # getcert resubmit -i 20160108170324
>
> # getcert list -i 20160108170324
> Number of certificates and requests being tracked: 7.
> Request ID '20160108170324':
> status: MONITORING
> ca-error: Server at
> "http://sdkipa01.a.skinfra.eu:8080/ca/ee/ca/profileSubmit" replied:
> Profile caServerCert Not Found
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=A.SKINFRA.EU
> subject: CN=IPA RA,O=A.SKINFRA.EU
> expires: 2016-06-28 15:25:11 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
>
>
> Thanksby advance for your help.
> Bertrand
>
>
>
>
Hi Betrand,
what version of FreeIPA and Dogtag are you running?
Also perform the following search on the IPA master and post the result:
"""
ldapsearch -D "cn=Directory Manager" -W -b
'ou=certificateProfiles,ou=ca,o=ipaca' '(objectClass=certProfile)'
"""
--
Martin^3 Babinsky
More information about the Freeipa-users
mailing list