Ticket was cloned from Red Hat Bugzilla (product Red Hat Enterprise Linux 7): Bug 1170003
Description of problem: I'm trying to change the CA cert for IPA from externally signed (by MS ADCS) to self-signed. I'm getting "Record not found" errors for the cert request. [root@rhel7-3 log]# ipa-cacert-manage renew --self-signed Renewing CA certificate, please wait Error resubmitting certmonger request '20141202205804', please check the request manually [root@rhel7-3 log]# getcert list -i 20141202205804 Number of certificates and requests being tracked: 8. Request ID '20141202205804': status: MONITORING ca-error: Server at "http://rhel7-3.example.com:8080/ca/ee/ca/profileSubmit" replied: Record not found stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin='321598787049' certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=subdom1-ADCS2-CA,DC=subdom1,DC=adroot2,DC=example,DC=com subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2016-11-11 01:22:59 UTC key usage: digitalSignature,keyCertSign,cRLSign pre-save command: post-save command: track: yes auto-renew: yes Version-Release number of selected component (if applicable): ipa-server-4.1.0-10.el7.x86_64 certmonger-0.75.14-2.el7.x86_64 How reproducible: Always Steps to Reproduce: # Note this requires a working MS ADCS server. 1. Install IPA with externally signed CA cert # ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-ca # copy ipa.csr to ADCS server and sign and copy back # also copy ADCS CA cert chain back as DER p7b file. # openssl pkcs7 -print_certs -in /root/adcs2.p7b -inform DER -out /root/adcs2.pem # ipa-server-install --setup-dns --forwarder=192.168.122.1 -r $(hostname -d |tr [:lower:] [:upper:]) -a Secret123 -p Secret123 -U --external-cert-file=/root/ipa.cer --external-cert-file=/root/adcs2.pem 2. Renew CA and change chaining from external to self-signed. ipa-cacert-manage renew --self-signed 3. Update clientsige: ipa-certupdate Actual results: failure listed above Expected results: No failure and CA cert changed from externally signed to self-signed. Additional info:
I assume this is different root cause than #4781, right?
Right.
master:
ipa-4-1:
Metadata Update from @jcholast: - Issue assigned to jcholast - Issue set to the milestone: FreeIPA 4.1.3
Login to comment on this ticket.