<div dir="ltr"><div>Hi all, I have inherited a IPA system that has an expired cert and the old admins have left; I followed (<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal">http://www.freeipa.org/page/IPA_2x_Certificate_Renewal</a>) but running into errors when I try to renew the CA certs even after time is reset. Also tried the troubleshooting under (<a href="http://www.freeipa.org/page/Troubleshooting#Authentication_Errors">http://www.freeipa.org/page/Troubleshooting#Authentication_Errors</a>); specifically using "certutil -L -d /etc/httpd/alias -n ipaCert -a > /tmp/ra.crt" to add the cert in the database. From the output of getcert list, I see both CA_UNREACHABLE and NEED_CSR_GEN_PIN. I followed redhat article here (<a href="https://access.redhat.com/solutions/1142913">https://access.redhat.com/solutions/1142913</a>) which verified key file password is correct and I have reset time. However the NEED_CSR_GEN_PIN status remains. My company actually has redhat support but when they built this IPA whoever built it was using Centos 6 so I am out of luck here. Would really appreciate any help since I am stuck at this point? What else I can do at this point? e.g. Is generate a new CA cert necessary, etc.? Version: ipa-pki-ca-theme.noarch 9.0.3-7.el6 @base ipa-pki-common-theme.noarch 9.0.3-7.el6 @base ipa-pmincho-fonts.noarch 003.02-3.1.el6 @base ipa-python.x86_64 3.0.0-47.el6.centos.2 @updates ipa-server.x86_64 3.0.0-47.el6.centos.2 @updates ipa-server-selinux.x86_64 3.0.0-47.el6.centos.2 @updates Part of error logs from /var/log/pki-ca/debug after I reset clock; I see these errors which I think is relevlant?: [27/Dec/2015:14:12:01][main]: SigningUnit init: debug org.mozilla.jss.crypto.ObjectNotFoundException Certificate object not found [27/Dec/2015:14:12:01][main]: CMS:Caught EBaseException Certificate object not found [27/Dec/2015:14:12:01][main]: CMSEngine.shutdown() </div><div>Result seems to show key file password is correct: certutil -K -d /etc/dirsrv/slapd-REALM-NET/ -f /etc/dirsrv/slapd-REALM-NET/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa ############################ NSS Certificate DB:Server-Cert </div><div> certutil -L -d /var/lib/pki-ca/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u ipaCert u,u,u <a href="http://REALM.COM">REALM.COM</a> IPA CA CT,C, certutil -L -d /etc/dirsrv/slapd-REALM-COM Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Server-Cert u,u,u <a href="http://REALM.COM">REALM.COM</a> IPA CA CT,C,C Output of getcert list: Number of certificates and requests being tracked: 7. Request ID '21135214223243': status: CA_UNREACHABLE ca-error: Server at <a href="https://host.example.net/ipa/xml">https://host.example.net/ipa/xml</a> failed request, will retry: 4301 (RPC failed at server. Certificate oper ation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfil e='/etc/dirsrv/slapd-example-NET//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-example-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=example.NET subject: CN=<a href="http://host.example.net">host.example.net</a>,O=example.NET expires: 2016-03-29 14:09:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '21135214223300': status: CA_UNREACHABLE ca-error: Server at <a href="https://host.example.net/ipa/xml">https://host.example.net/ipa/xml</a> failed request, will retry: 4301 (RPC failed at server. Certificate oper ation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile=' /etc/dirsrv/slapd-PKI-IPA//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=example.NET subject: CN=<a href="http://host.example.net">host.example.net</a>,O=example.NET expires: 2016-03-29 14:09:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20130519130741': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=auditSigningCert+cert-</a> pki-ca&serial_num=61&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=CA Audit,O=example.NET expires: 2017-10-13 14:10:49 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130742': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> m=60&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate D B',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=OCSP Subsystem,O=example.NET expires: 2017-10-13 14:09:49 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130743': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> m=62&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' ,pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=CA Subsystem,O=example.NET expires: 2017-10-13 14:09:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20130519130744': status: MONITORING ca-error: Internal error: no response to "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> m=64&renewal=true&xml=true". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/al ias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=RA Subsystem,O=example.NET expires: 2017-10-13 14:09:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20130519130745': status: NEED_CSR_GEN_PIN ca-error: Internal error: no response to "<a href="http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu">http://host.example.net:9180/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_nu</a> m=63&renewal=true&xml=true". stuck: yes key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',p in set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=example.NET subject: CN=<a href="http://host.example.net">host.example.net</a>,O=example.NET expires: 2017-10-13 14:09:49 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes </div>Regards, Adam </div>