<div dir="ltr"><div><div>Rob,<br><br></div>I'm getting this error: certutil -M -n "auditSigningCert cert-pki-ca" -d /var/lib/pki-ca/alias -t u,u,Pu<br>certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The certificate/key database is in an old, unsupported format.<br><br></div>Jeff<br><div><br></div><div class="gmail_extra"><br><div class="gmail_quote">On Fri, Jan 6, 2017 at 4:32 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">Jeff Goddard wrote:<br>
> I've followed the instructions related to my error here:<br>
> <a href="http://www.freeipa.org/page/Troubleshooting#PKI_Issues" rel="noreferrer" target="_blank">http://www.freeipa.org/page/<wbr>Troubleshooting#PKI_Issues</a> but I still<br>
> haven't found a solution.<br>
<br>
Look at these instructions<br>
<a href="http://www.freeipa.org/page/IPA_2x_Certificate_Renewal" rel="noreferrer" target="_blank">http://www.freeipa.org/page/<wbr>IPA_2x_Certificate_Renewal</a><br>
<br>
Look only at the ipaCert part, particularly the ou=people part and the<br>
description attribute.<br>
<br>
rob<br>
<br>
><br>
> Jeff<br>
><br>
> On Fri, Jan 6, 2017 at 4:05 PM, Jeff Goddard <<a href="mailto:jgoddard@emerlyn.com">jgoddard@emerlyn.com</a><br>
> <mailto:<a href="mailto:jgoddard@emerlyn.com">jgoddard@emerlyn.com</a>>> wrote:<br>
><br>
> Alan,<br>
><br>
> Thank you so VERY much. That resolved the issue for the CA signing<br>
> certificate. However I'm still seeing<br>
><br>
> ca-error: Server at<br>
> "<a href="https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess" rel="noreferrer" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com:8443/ca/<wbr>agent/ca/profileProcess</a><br>
> <<a href="https://id-management-1.internal.emerlyn.com:8443/ca/agent/ca/profileProcess" rel="noreferrer" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com:8443/ca/<wbr>agent/ca/profileProcess</a>>"<br>
> replied: 1: Invalid Credential.<br>
><br>
> On multiple requests which have expiration dates in the past. Is<br>
> there something else I need to do?<br>
><br>
> Jeff<br>
><br>
> On Fri, Jan 6, 2017 at 3:56 PM, Alan Heverley <<a href="mailto:aheverle@redhat.com">aheverle@redhat.com</a><br>
> <mailto:<a href="mailto:aheverle@redhat.com">aheverle@redhat.com</a>>> wrote:<br>
><br>
> Looks like you need to get the PIN associated to the cert.|<br>
><br>
> # grep 'internal=' /var/lib/pki/pki-tomcat/conf/<wbr>password.conf |<br>
><br>
> Then replace <pin> with the PIN in the command above.<br>
><br>
> # getcert start-tracking -d /etc/pki/pki-tomcat/alias -n<br>
> 'caSigningCert cert-pki-ca' -P <pin> -c dogtag-ipa-ca-renew-agent<br>
><br>
> On Fri, Jan 6, 2017 at 3:47 PM, Jeff Goddard<br>
> <<a href="mailto:jgoddard@emerlyn.com">jgoddard@emerlyn.com</a> <mailto:<a href="mailto:jgoddard@emerlyn.com">jgoddard@emerlyn.com</a>>> wrote:<br>
><br>
> I think my problem is deeper than that. I was following this<br>
> guide:<a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers" rel="noreferrer" target="_blank">http://www.freeipa.org/<wbr>page/Howto/CA_Certificate_<wbr>Renewal#Renew_CA_Certificate_<wbr>on_CA_Servers</a><br>
> <<a href="http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Renew_CA_Certificate_on_CA_Servers" rel="noreferrer" target="_blank">http://www.freeipa.org/page/<wbr>Howto/CA_Certificate_Renewal#<wbr>Renew_CA_Certificate_on_CA_<wbr>Servers</a>><br>
> and executed the commands related to having an external CA -<br>
> which we do not have. I now get this message for the CA:<br>
><br>
> Request ID '20170101055025':<br>
> status: NEED_KEY_GEN_PIN<br>
> stuck: yes<br>
> key pair storage:<br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> cert-pki-ca',pin set<br>
> certificate:<br>
> type=NSSDB,location='/etc/pki/<wbr>pki-tomcat/alias',nickname='<wbr>caSigningCert<br>
> cert-pki-ca'<br>
> CA: dogtag-ipa-ca-renew-agent<br>
> issuer:<br>
> subject:<br>
> expires: unknown<br>
> pre-save command:<br>
> post-save command:<br>
> track: yes<br>
> auto-renew: yes<br>
><br>
> Is there any way I can recover?<br>
><br>
> Jeff<br>
><br>
> On Fri, Jan 6, 2017 at 3:43 PM, Rob Crittenden<br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>> wrote:<br>
><br>
> Jeff Goddard wrote:<br>
> > I've done this.<br>
> > [root@id-management-1 ipa]# date<br>
> > Sun Jan 1 01:12:27 EST 2017<br>
> ><br>
> > getcert list give me this as the first entry:<br>
> ><br>
> > Request ID '20150116162120':<br>
> > status: CA_UNREACHABLE<br>
> > ca-error: Server at<br>
> > <a href="https://id-management-1.internal.emerlyn.com/ipa/xml" rel="noreferrer" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com/ipa/xml</a><br>
> <<a href="https://id-management-1.internal.emerlyn.com/ipa/xml" rel="noreferrer" target="_blank">https://id-management-1.<wbr>internal.emerlyn.com/ipa/xml</a>><br>
> failed request,<br>
> > will retry: 4001 (RPC failed at server. ipa:<br>
> Certificate Authority not<br>
> > found).<br>
> > stuck: no<br>
> > key pair storage:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB',pinfile='/etc/httpd/alias/<wbr>pwdfile.txt'<br>
> > certificate:<br>
> ><br>
> type=NSSDB,location='/etc/<wbr>httpd/alias',nickname='Server-<wbr>Cert',token='NSS<br>
> > Certificate DB'<br>
> > CA: IPA<br>
> > issuer: CN=Certificate<br>
> Authority,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTERNAL.EMERLYN.<wbr>COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> > <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> > subject:<br>
> CN=<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">id-management-1.internal.<wbr>emerlyn.com</a><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.<wbr>internal.emerlyn.com</a>><br>
> > <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.<wbr>internal.emerlyn.com</a><br>
> <<a href="http://id-management-1.internal.emerlyn.com" rel="noreferrer" target="_blank">http://id-management-1.<wbr>internal.emerlyn.com</a>>>,O=<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">INTER<wbr>NAL.EMERLYN.COM</a><br>
> <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> > <<a href="http://INTERNAL.EMERLYN.COM" rel="noreferrer" target="_blank">http://INTERNAL.EMERLYN.COM</a>><br>
> > expires: 2017-01-16 16:21:20 UTC<br>
> > key usage:<br>
> ><br>
> digitalSignature,<wbr>nonRepudiation,<wbr>keyEncipherment,<wbr>dataEncipherment<br>
> > eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>
> > pre-save command:<br>
> > post-save command:<br>
> /usr/lib64/ipa/certmonger/<wbr>restart_httpd<br>
> > track: yes<br>
> > auto-renew: yes<br>
> ><br>
> > Restarting cermonger multiple times doesn't help.<br>
><br>
> Sorry, I missed a step. When you go back in time you<br>
> first need to<br>
> restart IPA. The CA isn't up.<br>
><br>
> rob<br>
><br>
> ><br>
> > Jeff<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > On Fri, Jan 6, 2017 at 3:23 PM, Rob Crittenden<br>
> <<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>><br>
> > <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a><br>
> <mailto:<a href="mailto:rcritten@redhat.com">rcritten@redhat.com</a>>>> wrote:<br>
> ><br>
> > Jeff Goddard wrote:<br>
> > > Flo,<br>
> > ><br>
> > > I'm not able to access the link you posted. I<br>
> did find this thread<br>
> > > though<br>
> > ><br>
> ><br>
> <a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>>><br>
> > ><br>
> ><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>><br>
> ><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a><br>
> <<a href="https://www.redhat.com/archives/freeipa-users/2015-June/msg00144.html" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>archives/freeipa-users/2015-<wbr>June/msg00144.html</a>>>><br>
> > > and have set the time back and resubmitted a<br>
> request. Still no<br>
> > success.<br>
> > > Any further hints?<br>
> ><br>
> > You need to stop ntpd, go back in time to when the<br>
> certs are valid and<br>
> > restart the certmonger service.<br>
> ><br>
> > Then use getcert list to monitor things. You<br>
> really only care about the<br>
> > CA subsystem certs are this point.<br>
> ><br>
> > You may need to restart certmonger more than once<br>
> to get all the certs<br>
> > updated (you can manually call getcert resubmit -i<br>
> <id> if you'd<br>
> > prefer).<br>
> ><br>
> > Once that is done return to present day, restart<br>
> ntpd then ipactl<br>
> > restart.<br>
> ><br>
> > rob<br>
> ><br>
> ><br>
> ><br>
> ><br>
> > --<br>
> ><br>
><br>
><br>
><br>
><br>
> --<br>
><br>
><br>
><br>
> --<br>
> Manage your subscription for the Freeipa-users mailing list:<br>
> <a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><br>
> <<a href="https://www.redhat.com/mailman/listinfo/freeipa-users" rel="noreferrer" target="_blank">https://www.redhat.com/<wbr>mailman/listinfo/freeipa-users</a><wbr>><br>
> Go to <a href="http://freeipa.org" rel="noreferrer" target="_blank">http://freeipa.org</a> for more info on the project<br>
><br>
><br>
><br>
><br>
> --<br>
> Alan Heverley<br>
><br>
><br>
><br>
><br>
> --<br>
><br>
><br>
><br>
<span class="HOEnZb"><font color="#888888">><br>
> --<br>
> Jeff Goddard<br>
><br>
><br>
<br>
</font></span></blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div><br></div><br></div></div>
</div></div>