Having Cert issues on a centos 6 IPA 3 server ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)
ipa config-mod --enable-migration=TRUE ipa: ERROR: cannot connect to u'https://lax4ipa01.mia.bill1st.local/ipa/xml': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
Old server, pretty much cant register any new clients to. Willing to pay for support for migration help.
Version/Release/Distribution ipa-server-3.0.0-47.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-47.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-47.el6.centos.x86_64 ipa-server-selinux-3.0.0-47.el6.centos.x86_64 device-mapper-multipath-0.4.9-87.el6.x86_64 libipa_hbac-1.12.4-47.el6.x86_64 libipa_hbac-python-1.12.4-47.el6.x86_64 device-mapper-multipath-libs-0.4.9-87.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64
root@lax4ipa01.mia.bill1st:~$ cat /etc/ipa/ca.crt -----BEGIN CERTIFICATE----- MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKExFNSUEu QklMTDFTVC5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE0MTEyNTE4MzgxN1oXDTM0MTEyNTE4MzgxN1owPDEaMBgGA1UEChMRTUlBLkJJ TEwxU1QuTE9DQUwxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXgRpqEULf5v40kMxTtEooRBlEu u8Kl1LyhXD5Oyvx4qpe7dQTM2EWKel7zm3j0Q2MP7utzTydxF4j4GToT8vlRdDXj gdZjBpV7qbCc/t6OVF7sAhqY6Hz5Gghx9UTZ3euGJcBC0rcWQPWjSQi4GFA06I1v MzoWWPoK/dY93eUgEnqXn1hdiD/ediPC5bXsgsERvKBl5LZ6xpbLYmpoNYeAh1KQ Yg3Wyluj1yel5f+qYTkm/I6UJxT3EHS2grEXizkOWWfuyNguWPKzsuLop3U7iz7K AycUAcxLVF1X1OxXIczlPv4hF91shwIUluIWBvhjfUttuAxp17Wt9eiGgbUCAwEA AaOBrzCBrDAfBgNVHSMEGDAWgBR0Qg2UtrPixTY+00wdObnpJGsxazAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUdEINlLaz4sU2PtNM HTm56SRrMWswSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8vbGF4 NGlwYTAxLm1pYS5iaWxsMXN0LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggEBAGNJYJGde8xLSkzSaJo4Q70PDP8gFOVq3x0FK59mkA/eEpV5HsPfbhWh FcH/T3m5etycX/lh52Y2lYuf4rULJEdEbrFhZmj8u3yd3IOrHCp4oLTb2RIr3EU/ YxNvt0Rq1+tQ7+wrrwZkltpOkZRb54N6JYf1D8SYOfo5278LcwOucHRscfMdtOzu +QRXwLD8+ifV0OCHdpDw2LyV1H3JnuvzEAlBy3uKvcXPO6qzhPuVyb62JK3+gdtV 6leBi5t9kFbYN5utfjRGy5eABLbTbiCz+100jbKDiBkGBXmVduQeXbP4nvkiQM5w mnAdvxgn1cNpeNhlYd//D60k5ckE0Us= -----END CERTIFICATE-----
root@lax4ipa01.mia.bill1st:~$ certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u ipaCert u,u,u MIA.BILL1ST.LOCAL IPA CA CT,C,C
getcert list Number of certificates and requests being tracked: 8. Request ID '20141125183905': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Audit,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:15:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183906': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=OCSP Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183907': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183908': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=IPA RA,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20141125183909': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141125183922': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MIA-BILL1ST-LOCAL track: yes auto-renew: yes Request ID '20141125183953': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20141125184220': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.lax.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2019-05-03 14:41:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes root@lax4ipa01.mia.bill1st:~$
Hi Robert,
On Tue, Jan 22, 2019 at 9:16 PM Robert Alba via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Having Cert issues on a centos 6 IPA 3 server ipa: ERROR: Kerberos error: ('Unspecified GSS failure. Minor code may provide more information', 851968)/('KDC returned error string: PROCESS_TGS', -1765328324)
ipa config-mod --enable-migration=TRUE ipa: ERROR: cannot connect to u'https://lax4ipa01.mia.bill1st.local/ipa/xml': (SSL_ERROR_BAD_CERT_DOMAIN) Unable to communicate securely with peer: requested domain name does not match the server's certificate.
Old server, pretty much cant register any new clients to. Willing to pay for support for migration help.
Version/Release/Distribution ipa-server-3.0.0-47.el6.centos.x86_64 ipa-pki-ca-theme-9.0.3-7.el6.noarch python-iniparse-0.3.1-2.1.el6.noarch ipa-python-3.0.0-47.el6.centos.x86_64 ipa-pki-common-theme-9.0.3-7.el6.noarch ipa-admintools-3.0.0-47.el6.centos.x86_64 ipa-server-selinux-3.0.0-47.el6.centos.x86_64 device-mapper-multipath-0.4.9-87.el6.x86_64 libipa_hbac-1.12.4-47.el6.x86_64 libipa_hbac-python-1.12.4-47.el6.x86_64 device-mapper-multipath-libs-0.4.9-87.el6.x86_64 sssd-ipa-1.12.4-47.el6.x86_64 ipa-client-3.0.0-47.el6.centos.x86_64
root@lax4ipa01.mia.bill1st:~$ cat /etc/ipa/ca.crt -----BEGIN CERTIFICATE----- MIIDozCCAougAwIBAgIBATANBgkqhkiG9w0BAQsFADA8MRowGAYDVQQKExFNSUEu QklMTDFTVC5MT0NBTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4X DTE0MTEyNTE4MzgxN1oXDTM0MTEyNTE4MzgxN1owPDEaMBgGA1UEChMRTUlBLkJJ TEwxU1QuTE9DQUwxHjAcBgNVBAMTFUNlcnRpZmljYXRlIEF1dGhvcml0eTCCASIw DQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKXgRpqEULf5v40kMxTtEooRBlEu u8Kl1LyhXD5Oyvx4qpe7dQTM2EWKel7zm3j0Q2MP7utzTydxF4j4GToT8vlRdDXj gdZjBpV7qbCc/t6OVF7sAhqY6Hz5Gghx9UTZ3euGJcBC0rcWQPWjSQi4GFA06I1v MzoWWPoK/dY93eUgEnqXn1hdiD/ediPC5bXsgsERvKBl5LZ6xpbLYmpoNYeAh1KQ Yg3Wyluj1yel5f+qYTkm/I6UJxT3EHS2grEXizkOWWfuyNguWPKzsuLop3U7iz7K AycUAcxLVF1X1OxXIczlPv4hF91shwIUluIWBvhjfUttuAxp17Wt9eiGgbUCAwEA AaOBrzCBrDAfBgNVHSMEGDAWgBR0Qg2UtrPixTY+00wdObnpJGsxazAPBgNVHRMB Af8EBTADAQH/MA4GA1UdDwEB/wQEAwIBxjAdBgNVHQ4EFgQUdEINlLaz4sU2PtNM HTm56SRrMWswSQYIKwYBBQUHAQEEPTA7MDkGCCsGAQUFBzABhi1odHRwOi8vbGF4 NGlwYTAxLm1pYS5iaWxsMXN0LmxvY2FsOjgwL2NhL29jc3AwDQYJKoZIhvcNAQEL BQADggEBAGNJYJGde8xLSkzSaJo4Q70PDP8gFOVq3x0FK59mkA/eEpV5HsPfbhWh FcH/T3m5etycX/lh52Y2lYuf4rULJEdEbrFhZmj8u3yd3IOrHCp4oLTb2RIr3EU/ YxNvt0Rq1+tQ7+wrrwZkltpOkZRb54N6JYf1D8SYOfo5278LcwOucHRscfMdtOzu +QRXwLD8+ifV0OCHdpDw2LyV1H3JnuvzEAlBy3uKvcXPO6qzhPuVyb62JK3+gdtV 6leBi5t9kFbYN5utfjRGy5eABLbTbiCz+100jbKDiBkGBXmVduQeXbP4nvkiQM5w mnAdvxgn1cNpeNhlYd//D60k5ckE0Us= -----END CERTIFICATE-----
root@lax4ipa01.mia.bill1st:~$ certutil -L -d /etc/httpd/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u ipaCert u,u,u MIA.BILL1ST.LOCAL IPA CA CT,C,C
getcert list Number of certificates and requests being tracked: 8. Request ID '20141125183905': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Audit,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:15:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183906': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=OCSP Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC
Okay, so your CA subsystem certificates expired on 2018-10-08
eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yesRequest ID '20141125183907': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183908': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=IPA RA,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20141125183909': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141125183922': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error).
And since the cert is expired IPA could not restart services, which explains the SSL connect error you get now.
What you might want to try at this point is to go back in time on the original master (don't do it on other replicas) and run the following to get certmonger to renew your certs: * stop all FreeIPA services: ipactl stop * make sure ntpd is stopped * go back in time to 2018-10-06 - two days before the expiring date of your certificates * DO NOT RESTART IPA AT THIS POINT * restart the two services for dirserv * service named restart * service pki-cad restart * service httpd restart * service certmonger restart
And then monitor your certificates using the following command: getcert list
At some point (you might need to be very patient) it should renew your certificates.
Please post the results or questions as a reply to this email.
Regards François
stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MIA-BILL1ST-LOCAL track: yes auto-renew: yesRequest ID '20141125183953': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20141125184220': status: CA_UNREACHABLE ca-error: Server at https://lax4ipa01.mia.bill1st.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction. SSL connect error). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.lax.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2019-05-03 14:41:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes root@lax4ipa01.mia.bill1st:~$ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
waited 2-3 hours
here is the output getcert list|more Number of certificates and requests being tracked: 8. Request ID '20141125183905': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Audit,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:15:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183906': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=OCSP Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC eku: id-kp-OCSPSigning pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183907': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=CA Subsystem,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20141125183908': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=IPA RA,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20141125183909': status: MONITORING ca-error: Internal error: no response to "http://lax4ipa01.mia.bill1st.local:9180/ca/ee/ca/profileSubmit?profileId=caS...". stuck: no key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-08 17:14:13 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20141125183922': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MIA.BILL1ST.LOCAL'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-MIA-BILL1ST-LOCAL',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv MIA-BILL1ST-LOCAL track: yes auto-renew: yes Request ID '20141125183953': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MIA.BILL1ST.LOCAL'. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.mia.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2018-10-30 17:14:22 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes Request ID '20141125184220': status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm 'MIA.BILL1ST.LOCAL'. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=MIA.BILL1ST.LOCAL subject: CN=lax4ipa01.lax.bill1st.local,O=MIA.BILL1ST.LOCAL expires: 2019-05-03 14:41:19 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Also like to mention, I cloned the master IPA server. I gave it a new IP and added updated the host entry in /etc/hosts. Didnt want to take down the Original master since people are still authenticating to it at the moment.
On Wed, Jan 23, 2019 at 7:09 PM Robert Alba via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Also like to mention, I cloned the master IPA server. I gave it a new IP and added updated the host entry in /etc/hosts.
Was the hostname changed? Please provide the output of:
* hostname * ls /etc/dirserv
Also search for any error in catalina.out. It looks like the CA didn't start properly and it is a tomcat application.
Didnt want to take down the Original master since people are still authenticating to it at the moment. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
François Cami via FreeIPA-users wrote:
On Wed, Jan 23, 2019 at 7:09 PM Robert Alba via FreeIPA-users freeipa-users@lists.fedorahosted.org wrote:
Also like to mention, I cloned the master IPA server. I gave it a new IP and added updated the host entry in /etc/hosts.
Was the hostname changed? Please provide the output of:
- hostname
- ls /etc/dirserv
Also search for any error in catalina.out. It looks like the CA didn't start properly and it is a tomcat application.
The CA debug log and/or selftest log may also contain information on why the CA didn't start.
rob
I kept the hostname the same and just changed the IP. 10.26.26.102 lax4ipa01.mia.bill1st.local I disable IPA and NTP from starting after i cloned it
from /var/log/pki-ca/catalina.out pasted some errris
CMS Warning: FAILURE: Cannot build CA chain. Error java.security.cert.CertificateException: Certificate is not a PKCS #11 certificate|FAILURE: authz instance DirAclAuthz initialization failed and skipped, error=Property internaldb.ldapconn.port missing value|
ov 25, 2014 6:38:25 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads SEVERE: A web application appears to have started a thread named [LDAPConnThread-13 ldap://lax4ipa01.mia.bill1st.local:7389] but has failed to stop it. This is very likely to create a memory leak. Nov 25, 2014 6:38:25 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@4fb33717]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed.
SEVERE: A web application appears to have started a thread named [LDAPConnThread-15 ldap://lax4ipa01.mia.bill1st.local:7389] but has failed to stop it. This is very likely to create a memory leak. May 12, 2015 4:51:36 PM org.apache.catalina.loader.WebappClassLoader clearReferencesThreads
May 12, 2015 4:51:36 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap SEVERE: A web application created a ThreadLocal with key of type [null] (value [com.netscape.cmscore.util.Debug$1@4338bcbc]) and a value of type [java.text.SimpleDateFormat] (value [java.text.SimpleDateFormat@d1b317c9]) but failed to remove it when the web application was stopped. To prevent a memory leak, the ThreadLocal has been forcibly removed. May 12, 2015 4:51:36 PM org.apache.catalina.loader.WebappClassLoader clearThreadLocalMap
Internal Database Error encountered: Could not connect to LDAP server host lax4ipa01.mia.bill1st.local port 7389 Error netscape.ldap.LDAPException: failed to connect to server ldap://lax4ipa01.mia.bill1st.local:7389 (91) Sep 01, 2018 12:00:59 AM org.apache.coyote.http11.Http11Protocol start
Hostname is the same, just gave it a different IP and update the /etc/hosts file lax4ipa01.mia.bill1st.local
root@lax4ipa01.mia.bill1st:~$ tail /var/log/pki-ca/catalina.out Oct 01, 2018 12:13:33 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9444 Oct 01, 2018 12:13:33 AM org.apache.coyote.http11.Http11Protocol start INFO: Starting Coyote HTTP/1.1 on http-9446 Oct 01, 2018 12:13:33 AM org.apache.jk.common.ChannelSocket init INFO: JK: ajp13 listening on /0.0.0.0:9447 Oct 01, 2018 12:13:33 AM org.apache.jk.server.JkMain start INFO: Jk running ID=0 time=0/64 config=null Oct 01, 2018 12:13:33 AM org.apache.catalina.startup.Catalina start INFO: Server startup in 3699 ms
freeipa-users@lists.fedorahosted.org
-
François Cami -
Rob Crittenden -
Robert Alba