Il 08/01/2018 17:26, Rob Crittenden ha scritto:

Giulio Casella via FreeIPA-users wrote:

You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.

Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.

Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:

2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.

I'm stuck...

Thank you for your time.

rob

...

Is there a way to force update?

Here's my output of "getcert list":

Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes

Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote:

After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500." when certmonger tries to renew httpd/dirsrv certificate.

Any ideas to correctly debug this issue?

Here are some things to check:

What is the validity of /var/lib/ipa/ra-agent.pem at the time you set the clock back to? Is it possible that you have gone earlier than its `notBefore' time?

Is that certificate in sync with the userCertificate attribute of the `uid=ipara,ou=people,o=ipaca' LDAP entry?

What does the /var/log/pki/pki-tomcat/ca/debug log contain?

Cheers, Fraser

Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:

...

Il 08/01/2018 17:26, Rob Crittenden ha scritto:

...

Giulio Casella via FreeIPA-users wrote:

You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.

Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.

Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:

2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.

I'm stuck...

Thank you for your time.

...

rob

...

Is there a way to force update?

Here's my output of "getcert list":

Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert

cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert

cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS

Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS

Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes

Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users wrote:

Hi Fraser,

Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto:

...

On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote:

...

After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500." when certmonger tries to renew httpd/dirsrv certificate.

Any ideas to correctly debug this issue?

Here are some things to check:

What is the validity of /var/lib/ipa/ra-agent.pem at the time you set the clock back to? Is it possible that you have gone earlier than its `notBefore' time?

I've set date between "Not Before" and "Not After" of /var/lib/ipa/ra-agent.pem

...

Is that certificate in sync with the userCertificate attribute of the `uid=ipara,ou=people,o=ipaca' LDAP entry?

I don't have that entry in ldap; I tried to find in ldap a "userCertificate" with subject " O=MY.DOM.AIN, CN=IPA RA" (the same of /var/lib/ipa/ra-agent.pem). Its distinguished name is "dn: cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=my,dc=dom,dc=ain"

and is indeed different from cert /var/lib/ipa/ra-agent.pem (the one in ldap is newer).

You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), not the FreeIPA DIT. You should check on a CA replica.

Do you think I can try to substitute the entry in ldap with the cert from /var/lib/ipa/ra-agent.pem?

We really need to check what the userCertificate attribute of `uid=ipara,ou=people,o=ipaca' is, and whether it matches ra-agent.pem (and if not, how it differs). The entry should certainly exist in the Dogtag DIT, on CA replicas.

Knowing that will help decide the way forward.

...

What does the /var/log/pki/pki-tomcat/ca/debug log contain?

After a few digging I've seen nothing relevant...

OK. If it is an authentication error you won't necessary see a lot - from Dogtag's point of view is is not actually an error. It would get logged but not prominenty.

...

Cheers, Fraser

...

Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:

...

Il 08/01/2018 17:26, Rob Crittenden ha scritto:

...

Giulio Casella via FreeIPA-users wrote:

You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.

Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.

Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:

2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.

I'm stuck...

Thank you for your time.

...

rob

...

Is there a way to force update?

Here's my output of "getcert list":

Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert

cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert

cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS

Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS

Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes

Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

-- Giulio Casella giulio at di.unimi.it System and network architect Computer Science Dept. - University of Milano _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote:

Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:

...

You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), not the FreeIPA DIT. You should check on a CA replica.

I don't have a replica right now (I'm in the middle of a disaster!)...

"CA replica" just means any IPA master that has the Dogtag CA installed.

You have a Dogtag CA. That CA uses an LDAP database, which has basedn `o=ipaca'. That database should have the entry I indicated, whose `userCertificate' attribute we are interested in.

Some more detail: setting system date in an interval in which all certificates are valid, certmonger leave requests in "SUBMITTING" state. Outside this interval requests go in "CA_UNREACHABLE" state (post to https://$SERVER/ipa/xml gives http 500).

All this issue has begun with a (damn!) "ipa-cacert-manage renew", tried because services certificates weren't updated by certmonger.

Now the question is: is there a way to rollback this operation in order to perform the date-in-the-past trick?

There's no simple rollback, but I'm confident the situation is recoverable. It will require a methodical examination of the state of the system. This will take time (especially over email, across timezones).

Here are some notes I made about how cert renewal works in FreeIPA, what the different certs are used for, things that have to line up and troubleshooting ideas. It is not comprehensive but perhaps it will help. https://github.com/frasertweedale/talks/blob/master/2017-11-01-ipa-cert-rene...

Cheers, Fraser

TIA, Giulio

On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote:

Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:

...

"CA replica" just means any IPA master that has the Dogtag CA installed.

You have a Dogtag CA. That CA uses an LDAP database, which has basedn `o=ipaca'. That database should have the entry I indicated, whose `userCertificate' attribute we are interested in.

Ok, sorry for my low IPA CA knowledge :-)

No problem.

I've got 4 userCertificate entries in that entry, last one is the same cert as /var/lib/ipa/ra-agent.pem

Remove all the userAttribute values except the one that matches ra-agent.pem.

You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA master in the topology (the one you're working on) you can ignore this. Otherwise you should either update its userCertificate value with the content of ra_agent.pem, OR you can simply delete the entry.

Do this all while the clock is set back to when the certs are all valid. Then restart IPA; confirm that all the components start properly, then attempt to renew the service certificates.

See how you go with that. Hopefully it will be progress, at least.

Cheers, Fraser

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:

Done, ipactl status report everything running,

That's not correct, see below.

but certificates don't renew. Looking at certmonger (in debug mod) I can see:

"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).

internal error from apache

Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).

no apache running

Have I to try to remove/re-add monitoring from certmonger for service certificates?

No - try to find out the errors above. Leave certmonger alone until you fixed apache/dogtag.

Jochen

Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:

Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:

...

Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:

...

Done, ipactl status report everything running,

That's not correct, see below.

...

but certificates don't renew. Looking at certmonger (in debug mod) I can see:

"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).

internal error from apache

...

Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).

no apache running

I don't think so. HTTP 500 doesn't mean apache is not running, but an internal server error. Indeed I can reach the administration web ui. Login fails due to time skew, but apache is fully responsive.

Have a look again: Host idc01 delivers 500 - internal error. Host idc02 has no apache running ("connection refused").

Apache return 500 when something behind the scene fails (maybe the pki-tomcat part, following a post to api).

Yes, try fixing idc01 - most probably dogtag/pki-tomcat there.

Jochen

Fraser, some more info:

In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:

172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -

I think this is the http 500 reported by certmonger.

And in /var/log/pki/pki-tomcat/localhost.2018-01-08.log:

Jan 08, 2018 2:08:27 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/pkix-cert at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [...snip...]

Il 09/01/2018 15:38, Giulio Casella via FreeIPA-users ha scritto:

Il 09/01/2018 14:42, Fraser Tweedale ha scritto:

...

Remove all the userAttribute values except the one that matches ra-agent.pem.

Removed, only the matching one remains.

...

You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'.  If there is only one CA master in the topology (the one you're working on) you can ignore this.  Otherwise you should either update its userCertificate value with the content of ra_agent.pem, OR you can simply delete the entry.

Do this all while the clock is set back to when the certs are all valid.  Then restart IPA; confirm that all the components start properly, then attempt to renew the service certificates.

Done, ipactl status report everything running, but certificates don't renew. Looking at certmonger (in debug mod) I can see:

"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500: Non-2xx response from CA REST API: 500. ). Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining:  Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused). " 2018-01-08 01:03:31 [21961] Certificate not (yet?) issued. 2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state 'CA_UNREACHABLE'

even after a getcert resubmit -i 20171205091409

Have I to try to remove/re-add monitoring from certmonger for service certificates?

...

See how you go with that.  Hopefully it will be progress, at least.

Cheers, Fraser

...

---

FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org

Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto:

Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto:

...

Fraser, some more info:

In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:

172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -

It seems that someone is looking for an authority with uuid 13b94be3-f918-42e3-abeb-a2210150f28d.

A little test with rest API (via curl) calling /ca/rest/authorities, reports a xml collection of authorities, composed only by one authority with a uuid 87f9c5e4-c7e8-4c4d-ac5e-5ee87a915576 (different from the one called!)

BINGO! I tried to substitute wrong uuid in ipaCaId (dn: cn=ipa,cn=cas,cn=ca,dc=my,dc=dom,dc=ain) with correct one in ldap, and everything seems to work now.

Thank you Fraser and every guy that helped me solve this issue.

Cheers, Giulio

Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto:

Great! I'm glad you got to the bottom of it. Just curious - were there / are there multiple authority entries in LDAP underneath ou=authorities,ou=ca,o=ipaca?

No, there weren't (now, after solving initial problem, I setup a replica with --setup-ca, and I have 2 authorities).

I have seen this sort of problem once before, when experimenting with changing the CA Subject DN. I wonder if the CA certificate renewal that started all this off worked properly... are you using an externally signed CA cert?

No, I'm using only IPA internal CA. I really don't know where everything started; for sure my cerificates weren't renewed, and when I found this issues, trying to resolve, I issued a ipa-cacert-manage renew (I promise, I won't do it anymore!)

Thanks again, Giulio