I am trying to renew the last certificate for the IPA masters (previous email) and am coming across this issue on my original IPA master (first server)
getcert list -d /etc/httpd/alias -n "Server-Cert" Number of certificates and requests being tracked: 8. Request ID '20170428162941': status: CA_UNREACHABLE ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. nss certificate db: user not found). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2018-07-30 13:08:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
This server was 4.2.0 originally, then upgraded to 4.4.0, I tried https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html but that doesn't seem to make a difference.
If possible, can I stop tracking and regenerate this certificate?
All other masters (7 out of 8) did not have an issue renewing their certificates.
Thanks!!
-Jake
On 05/23/2017 10:56 PM, Jake via FreeIPA-users wrote:
I am trying to renew the last certificate for the IPA masters (previous email) and am coming across this issue on my original IPA master (first server)
getcert list -d /etc/httpd/alias -n "Server-Cert" Number of certificates and requests being tracked: 8. Request ID '20170428162941': status: CA_UNREACHABLE ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. nss certificate db: user not found). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2018-07-30 13:08:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
This server was 4.2.0 originally, then upgraded to 4.4.0, I tried https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html but that doesn't seem to make a difference.
If possible, can I stop tracking and regenerate this certificate?
All other masters (7 out of 8) did not have an issue renewing their certificates.
Thanks!!
-Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Jake,
1. can you check that /etc/httpd/alias contains the certificate used to authenticate IPA to the Certificate Server:
$ sudo certutil -L -d /etc/httpd/alias The output should show ipaCert u,u,u
2. Check that this cert is associated to ipara user: Note the serial number: $ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial Serial Number: 7 (0x7)
Check the cert associated to the user ipara: $ kinit admin $ ldapsearch -Y GSSAPI -Q -LLL -b uid=ipara,ou=people,o=ipaca description dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=DOM-IPA.COM;CN=IPA RA,O=DOM-IPA.COM
The serial number obtained in the first step must match the second number in the description attribute. If it is not the case, it may happen because the ipaCert was renewed but not copied on your failing master. In this case, running ipa-certupdate should install the renewed ipaCert, and allow you to re-run getcert resubmit.
HTH, Flo
Hey Flo, everything matches:
sudo certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u CN=Certificate Authority Root,DC=example,DC=com CT,C,C $ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial Serial Number: 6 (0x6) $ kinit admin Password for admin@IPA.EXAMPLE.COM: $ ldapsearch -Y GSSAPI -Q -LLL -b uid=ipara,ou=people,o=ipaca description dn: uid=ipara,ou=people,o=ipaca description: 2;6;CN=Certificate Authority,O=IPA.EXAMPLE.COM;CN=IPA RA,O=IPA.EXAMPLE.COM
Any other ideas? Should I just run "ipa-certupdate" anyway?
Thanks! -Jake
----- Original Message ----- From: "Florence Blanc-Renaud" flo@redhat.com To: "Jake" email@ml.jacobdevans.com, "freeipa-users" freeipa-users@lists.fedorahosted.org Sent: Wednesday, May 24, 2017 5:00:52 AM Subject: Re: [Freeipa-users] getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE
On 05/23/2017 10:56 PM, Jake via FreeIPA-users wrote:
I am trying to renew the last certificate for the IPA masters (previous email) and am coming across this issue on my original IPA master (first server)
getcert list -d /etc/httpd/alias -n "Server-Cert" Number of certificates and requests being tracked: 8. Request ID '20170428162941': status: CA_UNREACHABLE ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. nss certificate db: user not found). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2018-07-30 13:08:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
This server was 4.2.0 originally, then upgraded to 4.4.0, I tried https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html but that doesn't seem to make a difference.
If possible, can I stop tracking and regenerate this certificate?
All other masters (7 out of 8) did not have an issue renewing their certificates.
Thanks!!
-Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Jake,
1. can you check that /etc/httpd/alias contains the certificate used to authenticate IPA to the Certificate Server:
$ sudo certutil -L -d /etc/httpd/alias The output should show ipaCert u,u,u
2. Check that this cert is associated to ipara user: Note the serial number: $ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial Serial Number: 7 (0x7)
Check the cert associated to the user ipara: $ kinit admin $ ldapsearch -Y GSSAPI -Q -LLL -b uid=ipara,ou=people,o=ipaca description dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=DOM-IPA.COM;CN=IPA RA,O=DOM-IPA.COM
The serial number obtained in the first step must match the second number in the description attribute. If it is not the case, it may happen because the ipaCert was renewed but not copied on your failing master. In this case, running ipa-certupdate should install the renewed ipaCert, and allow you to re-run getcert resubmit.
HTH, Flo
On 05/24/2017 03:27 PM, Jake via FreeIPA-users wrote:
Hey Flo, everything matches:
sudo certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Signing-Cert u,u,u IPA.EXAMPLE.COM IPA CA CT,C,C ipaCert u,u,u Server-Cert u,u,u CN=Certificate Authority Root,DC=example,DC=com CT,C,C $ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial Serial Number: 6 (0x6) $ kinit admin Password for admin@IPA.EXAMPLE.COM: $ ldapsearch -Y GSSAPI -Q -LLL -b uid=ipara,ou=people,o=ipaca description dn: uid=ipara,ou=people,o=ipaca description: 2;6;CN=Certificate Authority,O=IPA.EXAMPLE.COM;CN=IPA RA,O=IPA.EXAMPLE.COM
Any other ideas? Should I just run "ipa-certupdate" anyway?
Hi Jake,
you can enable the debug logs by creating a file /etc/ipa/server.conf with [global] debug=True
then restart apache with systemctl restart httpd. You may have more information in /var/log/httpd/error_log.
The journal may also contain more information (journalctl -t certmonger and journalctl -u certmonger), and Dogtag logs also (/var/log/pki/pki-tomcat/ca/debug).
The normal behavior during a server cert renewal is that certmonger uses the CA helper (IPA in this case=> certmonger runs /usr/libexec/certmonger/ipa-submit). The helper connects to IPA http server and asks for renewal. IPA in turn contacts Dogtag. The logs may help you identify in which step the issue happens (if you run getcert resubmit, check which logs are incremented, this will tell for instance if IPA did/didn't contact Dogtag).
HTH, Flo
Thanks! -Jake
----- Original Message ----- From: "Florence Blanc-Renaud" flo@redhat.com To: "Jake" email@ml.jacobdevans.com, "freeipa-users" freeipa-users@lists.fedorahosted.org Sent: Wednesday, May 24, 2017 5:00:52 AM Subject: Re: [Freeipa-users] getcert list -d /etc/httpd/alias -n "Server-Cert" status: CA_UNREACHABLE
On 05/23/2017 10:56 PM, Jake via FreeIPA-users wrote:
I am trying to renew the last certificate for the IPA masters (previous email) and am coming across this issue on my original IPA master (first server)
getcert list -d /etc/httpd/alias -n "Server-Cert" Number of certificates and requests being tracked: 8. Request ID '20170428162941': status: CA_UNREACHABLE ca-error: Server at https://ipa01.ipa.example.com/ipa/xml failed request, will retry: 4001 (RPC failed at server. nss certificate db: user not found). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA. EXAMPLE.COM subject: CN=ipa01.ipa.example.com,O=IPA.EXAMPLE.COM expires: 2018-07-30 13:08:58 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
This server was 4.2.0 originally, then upgraded to 4.4.0, I tried https://www.redhat.com/archives/freeipa-users/2016-February/msg00441.html but that doesn't seem to make a difference.
If possible, can I stop tracking and regenerate this certificate?
All other masters (7 out of 8) did not have an issue renewing their certificates.
Thanks!!
-Jake
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Jake,
- can you check that /etc/httpd/alias contains the certificate used to
authenticate IPA to the Certificate Server:
$ sudo certutil -L -d /etc/httpd/alias The output should show ipaCert u,u,u
- Check that this cert is associated to ipara user:
Note the serial number: $ sudo certutil -L -d /etc/httpd/alias/ -n ipaCert | grep Serial Serial Number: 7 (0x7)
Check the cert associated to the user ipara: $ kinit admin $ ldapsearch -Y GSSAPI -Q -LLL -b uid=ipara,ou=people,o=ipaca description dn: uid=ipara,ou=people,o=ipaca description: 2;7;CN=Certificate Authority,O=DOM-IPA.COM;CN=IPA RA,O=DOM-IPA.COM
The serial number obtained in the first step must match the second number in the description attribute. If it is not the case, it may happen because the ipaCert was renewed but not copied on your failing master. In this case, running ipa-certupdate should install the renewed ipaCert, and allow you to re-run getcert resubmit.
HTH, Flo _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
freeipa-users@lists.fedorahosted.org