Hi, I've got a problem with certificate expiration. My setup is a CA-ful IPA installation, ipa-server-4.5.0-22 on a CentOS 7 host.
I've been able to run ipa-cacert-manage renew, setting date in the past, but server certs (dirsrv and httpd) are not updated.
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio
Giulio Casella via FreeIPA-users wrote:
Hi, I've got a problem with certificate expiration. My setup is a CA-ful IPA installation, ipa-server-4.5.0-22 on a CentOS 7 host.
I've been able to run ipa-cacert-manage renew, setting date in the past, but server certs (dirsrv and httpd) are not updated.
ipa-cacert-manage is NOT how you renew server certificates. It is how you renew the _CA_ certificate which is generally good for 20 years.
You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.
rob
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Il 08/01/2018 17:26, Rob Crittenden ha scritto:
Giulio Casella via FreeIPA-users wrote:
You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.
Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.
Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:
2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.
I'm stuck...
Thank you for your time.
rob
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500." when certmonger tries to renew httpd/dirsrv certificate.
Any ideas to correctly debug this issue?
Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:
Il 08/01/2018 17:26, Rob Crittenden ha scritto:
Giulio Casella via FreeIPA-users wrote:
You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.
Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.
Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:
2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.
I'm stuck...
Thank you for your time.
rob
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote:
After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500." when certmonger tries to renew httpd/dirsrv certificate.
Any ideas to correctly debug this issue?
Here are some things to check:
What is the validity of /var/lib/ipa/ra-agent.pem at the time you set the clock back to? Is it possible that you have gone earlier than its `notBefore' time?
Is that certificate in sync with the userCertificate attribute of the `uid=ipara,ou=people,o=ipaca' LDAP entry?
What does the /var/log/pki/pki-tomcat/ca/debug log contain?
Cheers, Fraser
Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:
Il 08/01/2018 17:26, Rob Crittenden ha scritto:
Giulio Casella via FreeIPA-users wrote:
You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.
Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.
Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:
2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.
I'm stuck...
Thank you for your time.
rob
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Hi Fraser,
Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto:
On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote:
After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500." when certmonger tries to renew httpd/dirsrv certificate.
Any ideas to correctly debug this issue?
Here are some things to check:
What is the validity of /var/lib/ipa/ra-agent.pem at the time you set the clock back to? Is it possible that you have gone earlier than its `notBefore' time?
I've set date between "Not Before" and "Not After" of /var/lib/ipa/ra-agent.pem
Is that certificate in sync with the userCertificate attribute of the `uid=ipara,ou=people,o=ipaca' LDAP entry?
I don't have that entry in ldap; I tried to find in ldap a "userCertificate" with subject " O=MY.DOM.AIN, CN=IPA RA" (the same of /var/lib/ipa/ra-agent.pem). Its distinguished name is "dn: cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=my,dc=dom,dc=ain"
and is indeed different from cert /var/lib/ipa/ra-agent.pem (the one in ldap is newer).
Do you think I can try to substitute the entry in ldap with the cert from /var/lib/ipa/ra-agent.pem?
What does the /var/log/pki/pki-tomcat/ca/debug log contain?
After a few digging I've seen nothing relevant...
Cheers, Fraser
Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:
Il 08/01/2018 17:26, Rob Crittenden ha scritto:
Giulio Casella via FreeIPA-users wrote:
You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.
Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.
Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:
2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.
I'm stuck...
Thank you for your time.
rob
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
On Tue, Jan 09, 2018 at 10:40:32AM +0100, Giulio Casella via FreeIPA-users wrote:
Hi Fraser,
Il 09/01/2018 07:44, Fraser Tweedale via FreeIPA-users ha scritto:
On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote:
After some time, requests go "CA_UNREACHABLE", caused by "RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500." when certmonger tries to renew httpd/dirsrv certificate.
Any ideas to correctly debug this issue?
Here are some things to check:
What is the validity of /var/lib/ipa/ra-agent.pem at the time you set the clock back to? Is it possible that you have gone earlier than its `notBefore' time?
I've set date between "Not Before" and "Not After" of /var/lib/ipa/ra-agent.pem
Is that certificate in sync with the userCertificate attribute of the `uid=ipara,ou=people,o=ipaca' LDAP entry?
I don't have that entry in ldap; I tried to find in ldap a "userCertificate" with subject " O=MY.DOM.AIN, CN=IPA RA" (the same of /var/lib/ipa/ra-agent.pem). Its distinguished name is "dn: cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=my,dc=dom,dc=ain"
and is indeed different from cert /var/lib/ipa/ra-agent.pem (the one in ldap is newer).
You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), not the FreeIPA DIT. You should check on a CA replica.
Do you think I can try to substitute the entry in ldap with the cert from /var/lib/ipa/ra-agent.pem?
We really need to check what the userCertificate attribute of `uid=ipara,ou=people,o=ipaca' is, and whether it matches ra-agent.pem (and if not, how it differs). The entry should certainly exist in the Dogtag DIT, on CA replicas.
Knowing that will help decide the way forward.
What does the /var/log/pki/pki-tomcat/ca/debug log contain?
After a few digging I've seen nothing relevant...
OK. If it is an authentication error you won't necessary see a lot - from Dogtag's point of view is is not actually an error. It would get logged but not prominenty.
Cheers, Fraser
Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:
Il 08/01/2018 17:26, Rob Crittenden ha scritto:
Giulio Casella via FreeIPA-users wrote:
You need to stop ntpd, use date to go back when the web server cert is still valid, then restart certmonger. That generally will do it.
Hi Rob, I already tried with date few hours before expiration, with no luck: certmonger cannot perform cert update.
Queued requests remain in "SUBMITTING" status, I tried to launch certmonger in foreground (-d 10), here's a snippet of the output:
2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state 'HAVE_CSR' 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409'). 2018-01-08 01:17:09 [6235] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'. 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:09 [6235] Located its private key. 2018-01-08 01:17:09 [6235] Recovered public key from private key. 2018-01-08 01:17:09 [6235] Key is an RSA key. 2018-01-08 01:17:09 [6235] Key size is 2048. 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'. 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto Services", not "NSS Certificate DB", skipping. 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'. 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert". 2018-01-08 01:17:10 [6251] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state 'HAVE_KEYINFO' 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'NEED_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:10 [6000] Started Request9('20171205091409'). 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for 0x561b59c82750:0x561b59c98940. 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state 'GENERATING_CSR' 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on traffic from 27. 2018-01-08 01:17:11 [6263] Read value "0" from "/proc/sys/crypto/fips_enabled". 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode. 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic Crypto Services). 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'. 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname ("Server-Cert"). 2018-01-08 01:17:11 [6263] Located its private key. 2018-01-08 01:17:11 [6263] Recovered public key from private key. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'HAVE_CSR' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'NEED_TO_SUBMIT' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now. 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state 'SUBMITTING' 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on traffic from 31. ^C2018-01-08 01:17:14 [6000] Got signal 2. 2018-01-08 01:17:14 [6000] Shutting down.
I'm stuck...
Thank you for your time.
rob
Is there a way to force update?
Here's my output of "getcert list":
Number of certificates and requests being tracked: 9. Request ID '20170915095009': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: SelfSign issuer: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-09-15 09:50:10 UTC principal name: krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL@LINUX.UNICLOUDIDATTICA.LOCAL certificate template/profile: KDCs_PKINIT_Certs pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20171205091347': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:44 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091349': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:07 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091350': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:19:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091351': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2038-01-08 00:16:58 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091352': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-21 07:18:14 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20171205091353': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2019-11-20 10:02:31 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20171205091357': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:24:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv LINUX-UNICLOUDIDATTICA-LOCAL track: yes auto-renew: yes Request ID '20171205091409': status: CA_UNREACHABLE ca-error: Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL subject: CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL expires: 2018-01-08 08:33:05 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Thanks in advance, Giulio _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
-- Giulio Casella giulio at di.unimi.it System and network architect Computer Science Dept. - University of Milano _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), not the FreeIPA DIT. You should check on a CA replica.
I don't have a replica right now (I'm in the middle of a disaster!)...
Some more detail: setting system date in an interval in which all certificates are valid, certmonger leave requests in "SUBMITTING" state. Outside this interval requests go in "CA_UNREACHABLE" state (post to https://$SERVER/ipa/xml gives http 500).
All this issue has begun with a (damn!) "ipa-cacert-manage renew", tried because services certificates weren't updated by certmonger.
Now the question is: is there a way to rollback this operation in order to perform the date-in-the-past trick?
TIA, Giulio
On Tue, Jan 09, 2018 at 01:30:24PM +0100, Giulio Casella wrote:
Il 09/01/2018 13:15, Fraser Tweedale via FreeIPA-users ha scritto:
You are looking for an entry in the Dogtag CA DIT (base DN `o=ipaca'), not the FreeIPA DIT. You should check on a CA replica.
I don't have a replica right now (I'm in the middle of a disaster!)...
"CA replica" just means any IPA master that has the Dogtag CA installed.
You have a Dogtag CA. That CA uses an LDAP database, which has basedn `o=ipaca'. That database should have the entry I indicated, whose `userCertificate' attribute we are interested in.
Some more detail: setting system date in an interval in which all certificates are valid, certmonger leave requests in "SUBMITTING" state. Outside this interval requests go in "CA_UNREACHABLE" state (post to https://$SERVER/ipa/xml gives http 500).
All this issue has begun with a (damn!) "ipa-cacert-manage renew", tried because services certificates weren't updated by certmonger.
Now the question is: is there a way to rollback this operation in order to perform the date-in-the-past trick?
There's no simple rollback, but I'm confident the situation is recoverable. It will require a methodical examination of the state of the system. This will take time (especially over email, across timezones).
Here are some notes I made about how cert renewal works in FreeIPA, what the different certs are used for, things that have to line up and troubleshooting ideas. It is not comprehensive but perhaps it will help. https://github.com/frasertweedale/talks/blob/master/2017-11-01-ipa-cert-rene...
Cheers, Fraser
TIA, Giulio
Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:
"CA replica" just means any IPA master that has the Dogtag CA installed.
You have a Dogtag CA. That CA uses an LDAP database, which has basedn `o=ipaca'. That database should have the entry I indicated, whose `userCertificate' attribute we are interested in.
Ok, sorry for my low IPA CA knowledge :-)
I've got 4 userCertificate entries in that entry, last one is the same cert as /var/lib/ipa/ra-agent.pem
On Tue, Jan 09, 2018 at 02:22:26PM +0100, Giulio Casella via FreeIPA-users wrote:
Il 09/01/2018 14:02, Fraser Tweedale via FreeIPA-users ha scritto:
"CA replica" just means any IPA master that has the Dogtag CA installed.
You have a Dogtag CA. That CA uses an LDAP database, which has basedn `o=ipaca'. That database should have the entry I indicated, whose `userCertificate' attribute we are interested in.
Ok, sorry for my low IPA CA knowledge :-)
No problem.
I've got 4 userCertificate entries in that entry, last one is the same cert as /var/lib/ipa/ra-agent.pem
Remove all the userAttribute values except the one that matches ra-agent.pem.
You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA master in the topology (the one you're working on) you can ignore this. Otherwise you should either update its userCertificate value with the content of ra_agent.pem, OR you can simply delete the entry.
Do this all while the clock is set back to when the certs are all valid. Then restart IPA; confirm that all the components start properly, then attempt to renew the service certificates.
See how you go with that. Hopefully it will be progress, at least.
Cheers, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches ra-agent.pem.
Removed, only the matching one remains.
You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA master in the topology (the one you're working on) you can ignore this. Otherwise you should either update its userCertificate value with the content of ra_agent.pem, OR you can simply delete the entry.
Do this all while the clock is set back to when the certs are all valid. Then restart IPA; confirm that all the components start properly, then attempt to renew the service certificates.
Done, ipactl status report everything running, but certificates don't renew. Looking at certmonger (in debug mod) I can see:
"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ). Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused). " 2018-01-08 01:03:31 [21961] Certificate not (yet?) issued. 2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state 'CA_UNREACHABLE'
even after a getcert resubmit -i 20171205091409
Have I to try to remove/re-add monitoring from certmonger for service certificates?
See how you go with that. Hopefully it will be progress, at least.
Cheers, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Done, ipactl status report everything running,
That's not correct, see below.
but certificates don't renew. Looking at certmonger (in debug mod) I can see:
"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
internal error from apache
Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).
no apache running
Have I to try to remove/re-add monitoring from certmonger for service certificates?
No - try to find out the errors above. Leave certmonger alone until you fixed apache/dogtag.
Jochen
Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Done, ipactl status report everything running,
That's not correct, see below.
but certificates don't renew. Looking at certmonger (in debug mod) I can see:
"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
internal error from apache
Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).
no apache running
I don't think so. HTTP 500 doesn't mean apache is not running, but an internal server error. Indeed I can reach the administration web ui. Login fails due to time skew, but apache is fully responsive.
Apache return 500 when something behind the scene fails (maybe the pki-tomcat part, following a post to api).
Have I to try to remove/re-add monitoring from certmonger for service certificates?
No - try to find out the errors above. Leave certmonger alone until you fixed apache/dogtag.
Jochen
Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Il 09/01/2018 18:19, Jochen Hein via FreeIPA-users ha scritto:
Giulio Casella via FreeIPA-users freeipa-users@lists.fedorahosted.org writes:
Done, ipactl status report everything running,
That's not correct, see below.
but certificates don't renew. Looking at certmonger (in debug mod) I can see:
"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ).
internal error from apache
Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).
no apache running
I don't think so. HTTP 500 doesn't mean apache is not running, but an internal server error. Indeed I can reach the administration web ui. Login fails due to time skew, but apache is fully responsive.
Have a look again: Host idc01 delivers 500 - internal error. Host idc02 has no apache running ("connection refused").
Apache return 500 when something behind the scene fails (maybe the pki-tomcat part, following a post to api).
Yes, try fixing idc01 - most probably dogtag/pki-tomcat there.
Jochen
Il 09/01/2018 22:40, Jochen Hein via FreeIPA-users ha scritto:
Have a look again: Host idc01 delivers 500 - internal error. Host idc02 has no apache running ("connection refused").
Correct, but I'm ignoring idc01 right now (more deeply corrupted), focusing on idc01. Next goal is to reinstall replica from scratch on idc02 (should be straightforward).
Giulio
Fraser, some more info:
In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -
I think this is the http 500 reported by certmonger.
And in /var/log/pki/pki-tomcat/localhost.2018-01-08.log:
Jan 08, 2018 2:08:27 AM org.apache.catalina.core.StandardWrapperValve invoke SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/pkix-cert at org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) [...snip...]
Il 09/01/2018 15:38, Giulio Casella via FreeIPA-users ha scritto:
Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches ra-agent.pem.
Removed, only the matching one remains.
You also suggested earlier to update that entry in the IPA DIT under `cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA master in the topology (the one you're working on) you can ignore this. Otherwise you should either update its userCertificate value with the content of ra_agent.pem, OR you can simply delete the entry.
Do this all while the clock is set back to when the certs are all valid. Then restart IPA; confirm that all the components start properly, then attempt to renew the service certificates.
Done, ipactl status report everything running, but certificates don't renew. Looking at certmonger (in debug mod) I can see:
"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server. Request failed with status 500: Non-2xx response from CA REST API: 500. ). Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused). " 2018-01-08 01:03:31 [21961] Certificate not (yet?) issued. 2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state 'CA_UNREACHABLE'
even after a getcert resubmit -i 20171205091409
Have I to try to remove/re-add monitoring from certmonger for service certificates?
See how you go with that. Hopefully it will be progress, at least.
Cheers, Fraser
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto:
Fraser, some more info:
In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -
It seems that someone is looking for an authority with uuid 13b94be3-f918-42e3-abeb-a2210150f28d.
A little test with rest API (via curl) calling /ca/rest/authorities, reports a xml collection of authorities, composed only by one authority with a uuid 87f9c5e4-c7e8-4c4d-ac5e-5ee87a915576 (different from the one called!)
Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto:
Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto:
Fraser, some more info:
In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -
It seems that someone is looking for an authority with uuid 13b94be3-f918-42e3-abeb-a2210150f28d.
A little test with rest API (via curl) calling /ca/rest/authorities, reports a xml collection of authorities, composed only by one authority with a uuid 87f9c5e4-c7e8-4c4d-ac5e-5ee87a915576 (different from the one called!)
BINGO! I tried to substitute wrong uuid in ipaCaId (dn: cn=ipa,cn=cas,cn=ca,dc=my,dc=dom,dc=ain) with correct one in ldap, and everything seems to work now.
Thank you Fraser and every guy that helped me solve this issue.
Cheers, Giulio
On Wed, Jan 10, 2018 at 01:45:04PM +0100, Giulio Casella wrote:
Il 10/01/2018 11:01, Giulio Casella via FreeIPA-users ha scritto:
Il 10/01/2018 10:49, Giulio Casella via FreeIPA-users ha scritto:
Fraser, some more info:
In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -
It seems that someone is looking for an authority with uuid 13b94be3-f918-42e3-abeb-a2210150f28d.
A little test with rest API (via curl) calling /ca/rest/authorities, reports a xml collection of authorities, composed only by one authority with a uuid 87f9c5e4-c7e8-4c4d-ac5e-5ee87a915576 (different from the one called!)
BINGO! I tried to substitute wrong uuid in ipaCaId (dn: cn=ipa,cn=cas,cn=ca,dc=my,dc=dom,dc=ain) with correct one in ldap, and everything seems to work now.
Thank you Fraser and every guy that helped me solve this issue.
Cheers, Giulio
Great! I'm glad you got to the bottom of it. Just curious - were there / are there multiple authority entries in LDAP underneath ou=authorities,ou=ca,o=ipaca?
I have seen this sort of problem once before, when experimenting with changing the CA Subject DN. I wonder if the CA certificate renewal that started all this off worked properly... are you using an externally signed CA cert?
Thanks, Fraser
Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto:
Great! I'm glad you got to the bottom of it. Just curious - were there / are there multiple authority entries in LDAP underneath ou=authorities,ou=ca,o=ipaca?
No, there weren't (now, after solving initial problem, I setup a replica with --setup-ca, and I have 2 authorities).
I have seen this sort of problem once before, when experimenting with changing the CA Subject DN. I wonder if the CA certificate renewal that started all this off worked properly... are you using an externally signed CA cert?
No, I'm using only IPA internal CA. I really don't know where everything started; for sure my cerificates weren't renewed, and when I found this issues, trying to resolve, I issued a ipa-cacert-manage renew (I promise, I won't do it anymore!)
Thanks again, Giulio
On Wed, Jan 10, 2018 at 04:02:57PM +0100, Giulio Casella wrote:
Il 10/01/2018 15:34, Fraser Tweedale via FreeIPA-users ha scritto:
Great! I'm glad you got to the bottom of it. Just curious - were there / are there multiple authority entries in LDAP underneath ou=authorities,ou=ca,o=ipaca?
No, there weren't (now, after solving initial problem, I setup a replica with --setup-ca, and I have 2 authorities).
I have seen this sort of problem once before, when experimenting with changing the CA Subject DN. I wonder if the CA certificate renewal that started all this off worked properly... are you using an externally signed CA cert?
No, I'm using only IPA internal CA. I really don't know where everything started; for sure my cerificates weren't renewed, and when I found this issues, trying to resolve, I issued a ipa-cacert-manage renew (I promise, I won't do it anymore!)
No worries, thanks for providing the additional info. I am mystified about how the wrong ipaCaId value got into your IPA database but I am glad that everything is working for you know.
Cheers, Fraser
Thanks again, Giulio
freeipa-users@lists.fedorahosted.org