Hi Freeipa-users,
I've done some more troubleshooting on my own and I'm still having issues related to this. https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
I've got all my certificates tracking but I'm stuck and can't get two of them to renew.
Request ID '20181230160145': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa1.cs.oberlin.edu:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=CS.OBERLIN.EDU subject: CN=CA Audit,O=CS.OBERLIN.EDU expires: 2018-12-31 13:28:03 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20181230160146': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://ipa1.cs.oberlin.edu:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=CS.OBERLIN.EDU subject: CN=OCSP Subsystem,O=CS.OBERLIN.EDU expires: 2018-12-31 13:26:43 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes
I've already set the date back to Dec 30 of 2018 and tried "service certmonger restart" It doesn't work for these two.
As far as I can tell I can't renew these because I can't contact the CA renewal master running on the localhost. I'm inferring that from "ca-error: Error 7 connecting to http://ipa1.cs.oberlin.edu:8080/ca/ee/ca/profileSubmit: Couldn't connect to server."
Also I verified that the I'm working on the Renewal master: [root@ipa1 ca]# ipa config-show| grep "IPA CA renewal master" IPA CA renewal master: ipa1.cs.oberlin.edu
I think the main cause of this is because I can't get the pki-tomcatd Service started
[root@ipa1 ca]# ipactl status Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: RUNNING ipa-custodia Service: RUNNING ntpd Service: STOPPED pki-tomcatd Service: STOPPED ipa-otpd Service: STOPPED ipa: INFO: The ipactl command was successful
When I look at /var/log/pki/pki-tomcat/ca/debug I get the following error:
Internal Database Error encountered: Could not connect to LDAP server host ipa1.cs.oberlin.edu port 636 Error netscape.ldap.LDAPException: Unable to create socket: org.mozilla.jss.ssl.SSLSocketException: org.mozilla.jss.ssl.SSLSocketException: SSL_ForceHandshake failed: (-8172) Peer's certificate issuer has been marked as not trusted by the user. (-1)
I'm not using 3rd party SSL's and never have.
I'm trying to start pki tomcat with this command: # systemctl start pki-tomcatd@pki-tomcat.service
any suggestions?
Solved!
I had orphaned RUV's...
I made sure I was logged into the server that is the CA replication master: #ipa config-show | grep 'CA renewal master'
I listed all my replicas: #ipa-replica-manage list
I removed all replicas (other than the box I am logged into) #"ipa-replica-manage del"
I listed all the ruv's: #ipa-replica-manage list-ruv
I removed all the ruv's # ipa-replica-manage clean-ruv
Then: #service ntpd stop
after doing that I set the date back to when my certs were still valid. #date 122910262018
Start all the IPA services manually and watch for errors: #systemctl restart dirsrv@example.com #systemctl restart krb5kdc #systemctl restart httpd #systemctl start kadmin #systemctl start ipa-custodia #systemctl start pki-tomcatd@pki-tomcat.service ##never figured out the one for the ipa-otpd Service (good luck)
Magically they all started without the replicas and ruv's!!
#getcert list Confirms my two certs that are about to expire
Try to renew them with a: #service certmonger restart
Got the auditSigningCert to renew automatically with the certmonger restart. The ocspSigningCert was more stubborn: #getcert resubmit -i 20181230160146 did the trick!
#getcert list confirms all my dates are good.
#ntpdate time.yourserver.com
#ipactl restart
all was better! Hope this helps someone, maybe a future me.
Alas I still have one question... How bad is "unable to decode: {replica 3}" below and how do I fix it?
[root@ipa1 log]# ipa-replica-manage list-ruv Directory Manager password:
unable to decode: {replica 3} 54e37389000100030000 54e37389000100030000 Replica Update Vectors: ipa1.cs.oberlin.edu:389: 10 Certificate Server Replica Update Vectors: ipa1.cs.oberlin.edu:389: 1095 ipa1.cs.oberlin.edu:389: 96
freeipa-users@lists.fedorahosted.org