Sean McLennan via FreeIPA-users wrote:
Thank you for the reply!
Did you build this yourself? What is the history of this installation? Were there other servers at some point?
No, it's just from Ubuntu's repositories. It's about two years old and there's nothing of particular note; it was a straight-forward install, no unusual functions. Never had another server connected to it—always planned one but it's waiting on priority and budget.
Check the Apache error log
Thank you, that was helpful—kind of forget it's even part of the install. Appears there is a PyAsn1 Error? Maybe a Python2.7 vs. 3.6 thing?
[Fri Oct 09 00:00:25.453485 2020] [wsgi:error] [pid 7034] [remote 10.1.5.4:59838] ipa: INFO: [xmlserver] host/ipa01.my.domain@MY.REALM: cert_request(u'MIIDvTCCAqUCAQAwNDEVMBMGA1UEChMMU0lNUExZV1MuQ09NMRswGQYDVQQDExJpcGEwMS5zaW1wbHl3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxh0AiaCsveX7JROzezR4lk6Nk2KmsmQ+s3yrOzjVzVqNWCk5w3Y4vVjefTvdZpHTwKDO8hD++wvEyavYe1eYDESX4Py7UfNtOQsuMHnbUAHDLyTZyVzDt5r2abUHmhgYlgHfrrrNYFnfgk951PQrLcPd+07neJQjulPtH0BSjCH05Y8Ss3UkTPvSBfBTfFWsUVKl6tOuMbbNDoFo9bAzwH3qzSTb0c5B1SYC2vx6A7fBEqrKIFI10eOKZjzzWI65V9zjhAz3ShKDh+RVKl7R5ulRnU1wgetX1+LC8BGu9bR4A1uza12ZK8PrPmKQjL7tYF385ht4lLG0IjI5DMSf/AgMBAAGgggFCMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBFwYJKoZIhvcNAQkOMYIBCDCCAQQwgZ0GA1UdEQEBAASBkjCBj4ISaXBhMDEuc2ltcGx5d3MuY29toDQGCisGAQQBgjcUAgOgJgwkbGRhcC9pcGEwMS5zaW1wbHl3cy5jb21AU0lNUExZV1MuQ09NoEMGBisGAQUCAqA5MDegDhsMU0lNUExZV1MuQ09NoSUwI6ADAgEBoRwwGhsEbGRhcBsSaXBhMDEuc2ltcGx5d3MuY29tMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFB0fN/R8MTxO1C1eb/Rgic+H6mFgMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEAYhcKonl8W3qFdTnWfvG1ZdjeI3LWPF8DdjhZ3RuOtvukWIvhxNawoRrTBk7mnbrjaFQK48FvsqW19fo1h5746G3q3TqTimgPpplRkK7G2E3+JVtt8g5zLAXdiXnwwejcgH4Q6Y+Xr3XKJoGMjQCL34TLO+mNE6zaAj03KzFbd5oOTiqRXvSSP/dhQj5yY6yIu94+ri6jKnKUpWjqo0EUkhPHtMqm9hAPwJQ99Ns5lLNGOX4TPmiP9bBSZW+pginZ4w8wyylc00+8QzPnbe9T+JJOjU/bfUytmsHbDEcpJ4xFIzZcuqBBfLWRDDfBFG4Ajk24uvNfuZhlW8NK07LsEA==', profile_id=u'caIPAserviceCert', principal=u'ldap/ipa01.my.domain@MY.REALM', add=True, version=u'2.51'): InternalError [Fri Oct 09 00:00:35.402170 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] ipa: ERROR: non-public: PyAsn1Error: <TagSet object at 0x7f378035fd10 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f377b8f99d0 tagSet <TagSet object at 0x7f379ae94290 tags 0:0:4> encoding iso-8859-1> [Fri Oct 09 00:00:35.402274 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] Traceback (most recent call last): [Fri Oct 09 00:00:35.402288 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in wsgi_execute [Fri Oct 09 00:00:35.402299 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] result = command(*args, **options) [Fri Oct 09 00:00:35.402309 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__ [Fri Oct 09 00:00:35.402320 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] return self.__do_call(*args, **options) [Fri Oct 09 00:00:35.402330 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in __do_call [Fri Oct 09 00:00:35.402341 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] ret = self.run(*args, **options) [Fri Oct 09 00:00:35.402351 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run [Fri Oct 09 00:00:35.402361 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] return self.execute(*args, **options) [Fri Oct 09 00:00:35.402371 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884, in execute [Fri Oct 09 00:00:35.402382 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] self.obj._parse(result, all) [Fri Oct 09 00:00:35.402392 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493, in _parse [Fri Oct 09 00:00:35.402402 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] cert.san_general_names) [Fri Oct 09 00:00:35.402412 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in san_general_names [Fri Oct 09 00:00:35.402451 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] gns = self.__pyasn1_get_san_general_names() [Fri Oct 09 00:00:35.402462 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in __pyasn1_get_san_general_names [Fri Oct 09 00:00:35.402473 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] ext['extnValue'], asn1Spec=univ.OctetString())[0] [Fri Oct 09 00:00:35.402483 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] File "/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line 1318, in __call__ [Fri Oct 09 00:00:35.402494 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] '%s not in asn1Spec: %r' % (tagSet, asn1Spec) [Fri Oct 09 00:00:35.402505 2020] [wsgi:error] [pid 7033] [remote 10.1.5.4:59876] PyAsn1Error: <TagSet object at 0x7f378035fd10 tags 0:32:16> not in asn1Spec: <OctetString schema object at 0x7f377b8f99d0 tagSet <TagSet object at 0x7f379ae94290 tags 0:0:4> encoding iso-8859-1>
What version of python-pyasn1 and pyasn1-modules is installed? You might try upgrading/downgrading them to see if that helps.
rob
This suggests the tracking is really messed up. Can you provide the output of getcert list?
Below.
Possibly ipa-cert-fix or pki-server cert-fix would take care of it, but they aren't in this version and I'm reluctant to upgrade the distro without proper preparation.
It wouldn't fix the 389 or Apache certs.
Thanks—glad I didn't go through that then!
Everything starts without any problems. With the date set, everything is functioning like normal as far as I can tell.
I have rolled back the date successfully making sure to respect the 'notbefore' on ra-agent.pem
Does this suggest that the RA agent cert was renewed at some point?
Yeah, I suppose it must have been successfully renewed by certmonger... I didn't think too hard about it since it wasn't expired:
Owner: CN=IPA RA, O=MY.REALM Issuer: CN=Certificate Authority, O=MY.REALM Serial number: 11 Valid from: Sat Sep 12 02:33:38 MDT 2020 until: Fri Sep 02 02:33:38 MDT 2022 Certificate fingerprints: SHA1: A8:32:C6:B4:C1:BF:C8:54:6B:35:F6:C7:DF:68:FB:47:73:C7:B4:2C SHA256: 5F:E8:77:BA:72:E4:64:56:E7:23:54:32:56:0D:66:7A:03:04:0F:04:7C:CE:E6:25:44:4A:15:B1:06:81:05:4A Signature algorithm name: SHA256withRSA Subject Public Key Algorithm: 2048-bit RSA key Version: 3
Number of certificates and requests being tracked: 9. Request ID '20181021083324': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MY.REALM subject: CN=IPA RA,O=MY.REALM expires: 2022-09-02 02:33:38 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20181021083404': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MY.REALM subject: CN=localhost expires: 2022-09-05 12:15:19 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181021083405': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MY.REALM subject: CN=localhost expires: 2020-10-13 12:14:21 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181021083406': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MY.REALM subject: CN=localhost expires: 2020-10-13 12:15:01 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181021083407': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MY.REALM subject: CN=localhost expires: 2020-10-10 02:34:28 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181021083408': status: NEED_CSR_GEN_TOKEN stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=MY.REALM subject: CN=localhost expires: 2020-10-13 12:14:29 MDT key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20181021083613': status: CA_UNREACHABLE ca-error: Server at https://ipa01.my.domain/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MY-REALM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MY.REALM subject: CN=ipa01.my.domain,O=MY.REALM expires: 2020-10-21 02:36:13 MDT dns: ipa01.my.domain principal name: ldap/ipa01.my.domain@MY.REALM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv MY-REALM track: yes auto-renew: yes Request ID '20181021083714': status: NEED_CSR_GEN_PIN stuck: yes key pair storage: type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.my.domain-443-RSA' certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' CA: IPA issuer: CN=Certificate Authority,O=MY.REALM subject: CN=ipa01.my.domain,O=MY.REALM expires: 2020-10-21 02:37:17 MDT dns: ipa01.my.domain principal name: HTTP/ipa01.my.domain@MY.REALM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20181021083724': status: CA_UNREACHABLE ca-error: Server at https://ipa01.my.domain/ipa/xml failed request, will retry: 903 (RPC failed at server. an internal error has occurred). stuck: no key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key' certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=MY.REALM subject: CN=ipa01.my.domain,O=MY.REALM expires: 2020-10-21 02:37:25 MDT principal name: krbtgt/MY.REALM@MY.REALM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...