hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at " https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT subject: CN=kdc2.l.domain.it,O=L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
On 11/20/19 8:13 PM, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style>
</head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
The authentication between IPA and dogtag is done using the ra-agent cert located in /var/lib/ipa/ra-agent.pem. As its expiration date is near, it's possible that the renewal process for this cert started but did not complete successfully.
You need to check the following: - note the serial ID of the cert, its subject and issuer: $ openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem You can also check if it has already been renewed (look at the date Not Before / Not After).
If it has been renewed, check the content of the entry uid=ipara,ou=people,o=ipaca: $ ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca
There are 2 things to check: - The userCertificate attribute must contain the cert (same value as in ra-agent.pem, in a single line and without the -----BEGIN CERTIFICATE----- and -----END CERTIFICATE---- lines). - The description attribute must have the foollowing value: description: 2;<serial number retrieved in previous step>;<issuer>;<subject>
If it's not the case, it's likely that the renewal failed to update the entry and that may be causing your issue. You will need to manually fix the entry using ldapmodify.
After that, restart ipa with ipactl stop / ipactl start and check if certmonger is able to renew the other certs that will expire soon.
HTH, flo
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
hi,
sorry for the delay, priorities shifted a bit.
Let's see, the serial # and validity of the cert in the kdc with problems: - note the serial ID of the cert, its subject and issuer:
[root@kdc2 ~]# openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption Issuer: O=SUB.DOMAIN.TLD, CN=Certificate Authority Validity Not Before: Dec 15 13:58:44 2017 GMT Not After : Dec 5 13:58:44 2019 GMT Subject: O=SUB.DOMAIN.TLD, CN=IPA RA
So it looks like this did not get renewed
# ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password: <snip> dn: uid=ipara,ou=people,o=ipaca description: 2;80;CN=Certificate Authority,O=SUB.DOMAIN.TLD;CN=IPA RA,O=SUB.DOMAIN.TLD IT cn: ipara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser userCertificate:: <snip> userCertificate:: <snip> userstate: 1 usertype: agentType sn: ipara uid: ipara
So I have two userCertificates, the first one is the one in the file system on the broken kdc in /var/lib/ipa/ra-agent.pem. The second one is the one in the working kdc.
The serial number is the one on the certificate on the working kdc, which was renewed on Nov 8th succesfully.
So do I need to copy the ra-agent.pem and key from the working kdc to the broken kdc?
-- Groeten, natxo
On 11/28/19 10:33 AM, Natxo Asenjo via FreeIPA-users wrote:
hi,
sorry for the delay, priorities shifted a bit.
Let's see, the serial # and validity of the cert in the kdc with problems:
- note the serial ID of the cert, its subject and issuer:
[root@kdc2 ~]# openssl x509 -noout -text -in /var/lib/ipa/ra-agent.pem Certificate: Data: Version: 3 (0x2) Serial Number: 7 (0x7) Signature Algorithm: sha256WithRSAEncryption Issuer: O=SUB.DOMAIN.TLD, CN=Certificate Authority Validity Not Before: Dec 15 13:58:44 2017 GMT Not After : Dec 5 13:58:44 2019 GMT Subject: O=SUB.DOMAIN.TLD, CN=IPA RA
So it looks like this did not get renewed
# ldapsearch -D cn=directory\ manager -W -b uid=ipara,ou=people,o=ipaca Enter LDAP Password:
<snip> dn: uid=ipara,ou=people,o=ipaca description: 2;80;CN=Certificate Authority,O=SUB.DOMAIN.TLD;CN=IPA RA,O=SUB.DOMAIN.TLD IT cn: ipara objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: cmsuser userCertificate:: <snip> userCertificate:: <snip> userstate: 1 usertype: agentType sn: ipara uid: ipara
So I have two userCertificates, the first one is the one in the file system on the broken kdc in /var/lib/ipa/ra-agent.pem. The second one is the one in the working kdc.
The serial number is the one on the certificate on the working kdc, which was renewed on Nov 8th succesfully.
So do I need to copy the ra-agent.pem and key from the working kdc to the broken kdc?
Hi, please first make a backup of the files. Copy the ra-agent.pem from the working kdc to the broken kdc, then restart ipa and check if certmonger is able to renew the other certificates. The key file probably didn't change (the renewal uses the same key) so I don't think you need to copy this file.
HTH, flo
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On Thu, Nov 28, 2019 at 10:58 AM Florence Blanc-Renaud flo@redhat.com wrote:
please first make a backup of the files. Copy the ra-agent.pem from the working kdc to the broken kdc, then restart ipa and check if certmonger is able to renew the other certificates. The key file probably didn't change (the renewal uses the same key) so I don't think you need to copy this file.
so, this worked ;-), en now ipactl status shows everything is running.
After re-submitting a couple of certificate requests, everything is back to normal.
Thanks Florence, for your assistance. I have learnt a lot too with this blog of your colleague Fraser Tweedale: https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
Regards, Natxo -- Groeten, natxo
On 11/28/19 1:58 PM, Natxo Asenjo via FreeIPA-users wrote:
On Thu, Nov 28, 2019 at 10:58 AM Florence Blanc-Renaud <flo@redhat.com mailto:flo@redhat.com> wrote:
please first make a backup of the files. Copy the ra-agent.pem from the working kdc to the broken kdc, then restart ipa and check if certmonger is able to renew the other certificates. The key file probably didn't change (the renewal uses the same key) so I don't think you need to copy this file.
so, this worked ;-), en now ipactl status shows everything is running.
After re-submitting a couple of certificate requests, everything is back to normal.
Great! Thanks for the update. flo
Thanks Florence, for your assistance. I have learnt a lot too with this blog of your colleague Fraser Tweedale: https://frasertweedale.github.io/blog-redhat/posts/2018-11-20-ca-renewal-mas...
Regards, Natxo -- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On the non-renewal masters there are 4 certificates that show "ca-error: Invalid cookie: u''"
Request ID '20181127141739': ca-error: Invalid cookie: u'' subject: CN=IPA RA,O=GHS.NL expires: 2020-10-26 20:15:48 UTC Request ID '20181127141749': ca-error: Invalid cookie: u'' subject: CN=CA Audit,O=GHS.NL expires: 2020-10-26 20:15:32 UTC Request ID '20181127141750': ca-error: Invalid cookie: u'' subject: CN=OCSP Subsystem,O=GHS.NL expires: 2020-10-26 20:15:31 UTC Request ID '20181127141751': ca-error: Invalid cookie: u'' subject: CN=CA Subsystem,O=GHS.NL expires: 2020-10-26 20:15:32 UTC
All of them are "system certificates" that are already renewed on the CA Renewal Master.
How do I get these renewed? I don't like to run whatever command, because I'm too scared to break the system for good. -- Kees
On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote:
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote:
**** EXTERNAL E-MAIL ****
On the non-renewal masters there are 4 certificates that show "ca-error: Invalid cookie: u''"
Request ID '20181127141739': ca-error: Invalid cookie: u'' subject: CN=IPA RA,O=GHS.NL expires: 2020-10-26 20:15:48 UTC Request ID '20181127141749': ca-error: Invalid cookie: u'' subject: CN=CA Audit,O=GHS.NL expires: 2020-10-26 20:15:32 UTC Request ID '20181127141750': ca-error: Invalid cookie: u'' subject: CN=OCSP Subsystem,O=GHS.NL expires: 2020-10-26 20:15:31 UTC Request ID '20181127141751': ca-error: Invalid cookie: u'' subject: CN=CA Subsystem,O=GHS.NL expires: 2020-10-26 20:15:32 UTC
All of them are "system certificates" that are already renewed on the CA Renewal Master.
How do I get these renewed? I don't like to run whatever command, because I'm too scared to break the system for good. -- Kees
On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote:
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
Kees Bakker via FreeIPA-users wrote:
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
No. Only the renewal master should attempt renewing the certificates.
The cookie error was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1788907
A description of what is happening is at https://github.com/freeipa/freeipa/commit/b5b9efeb57c010443c33c6f14f831abdbd...
Try restarting certmonger.
rob
On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote:
**** EXTERNAL E-MAIL ****
On the non-renewal masters there are 4 certificates that show "ca-error: Invalid cookie: u''"
Request ID '20181127141739': ca-error: Invalid cookie: u'' subject: CN=IPA RA,O=GHS.NL expires: 2020-10-26 20:15:48 UTC Request ID '20181127141749': ca-error: Invalid cookie: u'' subject: CN=CA Audit,O=GHS.NL expires: 2020-10-26 20:15:32 UTC Request ID '20181127141750': ca-error: Invalid cookie: u'' subject: CN=OCSP Subsystem,O=GHS.NL expires: 2020-10-26 20:15:31 UTC Request ID '20181127141751': ca-error: Invalid cookie: u'' subject: CN=CA Subsystem,O=GHS.NL expires: 2020-10-26 20:15:32 UTC
All of them are "system certificates" that are already renewed on the CA Renewal Master.
How do I get these renewed? I don't like to run whatever command, because I'm too scared to break the system for good. -- Kees
On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote:
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 01-10-2020 20:33, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
No. Only the renewal master should attempt renewing the certificates.
OK. I'm glad I asked
The cookie error was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1788907
A description of what is happening is at https://github.com/freeipa/freeipa/commit/b5b9efeb57c010443c33c6f14f831abdbd...
Try restarting certmonger.
rob
Restarting certmonger did nothing.
This is a Centos 7 system with these versions of FreeIPA and certmonger.
# rpm -qa ipa* certmonger ipa-server-trust-ad-4.6.6-11.el7.centos.x86_64 ipa-server-common-4.6.6-11.el7.centos.noarch ipa-common-4.6.6-11.el7.centos.noarch ipa-client-4.6.6-11.el7.centos.x86_64 ipa-server-4.6.6-11.el7.centos.x86_64 ipa-client-common-4.6.6-11.el7.centos.noarch ipa-server-dns-4.6.6-11.el7.centos.noarch certmonger-0.78.4-12.el7.x86_64
Snif. And I need 4.6.8 :-( -- Kees
On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote:
**** EXTERNAL E-MAIL ****
On the non-renewal masters there are 4 certificates that show "ca-error: Invalid cookie: u''"
Request ID '20181127141739': ca-error: Invalid cookie: u'' subject: CN=IPA RA,O=GHS.NL expires: 2020-10-26 20:15:48 UTC Request ID '20181127141749': ca-error: Invalid cookie: u'' subject: CN=CA Audit,O=GHS.NL expires: 2020-10-26 20:15:32 UTC Request ID '20181127141750': ca-error: Invalid cookie: u'' subject: CN=OCSP Subsystem,O=GHS.NL expires: 2020-10-26 20:15:31 UTC Request ID '20181127141751': ca-error: Invalid cookie: u'' subject: CN=CA Subsystem,O=GHS.NL expires: 2020-10-26 20:15:32 UTC
All of them are "system certificates" that are already renewed on the CA Renewal Master.
How do I get these renewed? I don't like to run whatever command, because I'm too scared to break the system for good. -- Kees
On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote:
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 01-10-2020 20:33, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
No. Only the renewal master should attempt renewing the certificates.
That conflicts with a remark from Florence in a thread with the subject "Replica not renewing IPA certificates" in January this year on this mailing list.
"Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit."
and the feedback from Roderick was
"Thank you very much! The getcert resubmit has successfully renewed all the certificates in need of renewal."
I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use it?
And, if not, how is the renewal re-triggered (assuming I have manually patched /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie problem). Restarting certmonger did not help. Restarting all of IPA did not help. -- Kees
The cookie error was fixed in https://bugzilla.redhat.com/show_bug.cgi?id=1788907
A description of what is happening is at https://github.com/freeipa/freeipa/commit/b5b9efeb57c010443c33c6f14f831abdbd...
Try restarting certmonger.
rob
On 01-10-2020 17:36, Kees Bakker via FreeIPA-users wrote:
**** EXTERNAL E-MAIL ****
On the non-renewal masters there are 4 certificates that show "ca-error: Invalid cookie: u''"
Request ID '20181127141739': ca-error: Invalid cookie: u'' subject: CN=IPA RA,O=GHS.NL expires: 2020-10-26 20:15:48 UTC Request ID '20181127141749': ca-error: Invalid cookie: u'' subject: CN=CA Audit,O=GHS.NL expires: 2020-10-26 20:15:32 UTC Request ID '20181127141750': ca-error: Invalid cookie: u'' subject: CN=OCSP Subsystem,O=GHS.NL expires: 2020-10-26 20:15:31 UTC Request ID '20181127141751': ca-error: Invalid cookie: u'' subject: CN=CA Subsystem,O=GHS.NL expires: 2020-10-26 20:15:32 UTC
All of them are "system certificates" that are already renewed on the CA Renewal Master.
How do I get these renewed? I don't like to run whatever command, because I'm too scared to break the system for good. -- Kees
On 01-10-2020 16:07, Kees Bakker via FreeIPA-users wrote:
This now happened to me too.
The solution in this thread was to copy /var/lib/ipa/ra-agent.* to the failing system. After that I was able to restart (ipactl restart).
What remains a mystery is **why** this happened.
In my case, we have three CA masters, one is the CA renewal master (of course). Two days ago, linge, the renewal master, renewed a few certificates. Here is a summary of journalctl.
[root@linge ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:39:00 linge.ghs.nl certmonger[16288]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:39:00 linge.ghs.nl certmonger[16289]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:00 linge.ghs.nl certmonger[16290]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:39:00 linge.ghs.nl certmonger[16291]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:39:02 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:03 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16298]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:05 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:06 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16339]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:08 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16354]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:20 linge.ghs.nl certmonger[16720]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:22 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:23 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16297]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:25 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16726]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:27 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16741]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:39 linge.ghs.nl certmonger[17106]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. sep 29 13:39:42 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:43 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16296]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:44 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:45 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17112]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:47 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17126]: dogtag-ipa-renew-agent returned 0 sep 29 13:39:49 linge.ghs.nl certmonger[17156]: Certificate in file "/var/lib/ipa/ra-agent.pem" issued by CA and saved. sep 29 13:39:52 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:53 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[16299]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:54 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:55 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17162]: dogtag-ipa-renew-agent returned 5 sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: Forwarding request to dogtag-ipa-renew-agent sep 29 13:39:57 linge.ghs.nl dogtag-ipa-ca-renew-agent-submit[17177]: dogtag-ipa-renew-agent returned 0 sep 29 13:40:05 linge.ghs.nl certmonger[17540]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved.
Today (two days later) I looked at the two other CA masters to see if these same certificates were OK. I saw this:
[root@iparep3 ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 11:22:13 iparep3.ghs.nl certmonger[214479]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 11:22:13 iparep3.ghs.nl certmonger[214480]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:13 iparep3.ghs.nl certmonger[214481]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 11:22:13 iparep3.ghs.nl certmonger[214482]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 11:22:15 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214487]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214488]: Updated certificate not available sep 29 11:22:16 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214496]: Updated certificate not available sep 29 11:22:17 iparep3.ghs.nl dogtag-ipa-ca-renew-agent-submit[214505]: Updated certificate not available sep 29 19:22:18 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:18 [428] Invalid cookie: u'' sep 29 19:22:19 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:19 [428] Invalid cookie: u'' sep 29 19:22:20 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:20 [428] Invalid cookie: u'' sep 29 19:22:29 iparep3.ghs.nl certmonger[428]: 2020-09-29 19:22:29 [428] Invalid cookie: u''
[root@rotte ~]# journalctl | grep -E 'certmonger|dogtag' sep 29 13:00:55 rotte.ghs.nl certmonger[166381]: Certificate in file "/var/lib/ipa/ra-agent.pem" will not be valid after 20201026201548. sep 29 13:00:55 rotte.ghs.nl certmonger[166382]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:55 rotte.ghs.nl certmonger[166383]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201531. sep 29 13:00:55 rotte.ghs.nl certmonger[166384]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" will not be valid after 20201026201532. sep 29 13:00:57 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166389]: Updated certificate not available sep 29 13:00:58 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166392]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166391]: Updated certificate not available sep 29 13:01:08 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[166390]: Updated certificate not available sep 29 21:01:00 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:00 [97976] Invalid cookie: u'' sep 29 21:01:01 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:01 [97976] Invalid cookie: u'' sep 29 21:01:10 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:10 [97976] Invalid cookie: u'' sep 29 21:01:11 rotte.ghs.nl certmonger[97976]: 2020-09-29 21:01:11 [97976] Invalid cookie: u''
So, both non-renewal masters started tried dogtag-ipa-ca-renew-agent-submit, and both failed with "Updated certificate not available"
Next, I did a "yum update", hoping to get rid of the invalid cookie. This updated ipa from 4.6.5 to 4.6.6 The update failed because /var/lib/ipa/ra-agent.pem still had the old certificate.
After manually copying ra-agent.* to the failing system I was able to restart ipa. However, I suspect that things are still not right. Too many certs on the non-renewal masters still need to be renewed. I'm digging further ... -- Kees
On 20-11-2019 20:13, Natxo Asenjo via FreeIPA-users wrote:
hi,
after patching our centos 7 hosts to the latest version today, one of the two replicas is having trouble.
[root@kdc2 ~]# ipactl status Directory Service: RUNNING krb5kdc Service: STOPPED kadmin Service: STOPPED named Service: STOPPED httpd Service: RUNNING ipa-custodia Service: STOPPED ntpd Service: STOPPED pki-tomcatd Service: RUNNING smb Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED ipa-dnskeysyncd Service: STOPPED ipa: INFO: The ipactl command was successful
and after digging in the logs I come across this in /var/log/ipaupgrade.log:
2019-11-20T18:18:29Z DEBUG stderr= 2019-11-20T18:18:31Z INFO Certmonger certificate renewal configuration already up-to-date 2019-11-20T18:18:31Z INFO [Enable PKIX certificate path discovery and validation] 2019-11-20T18:18:31Z DEBUG Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' 2019-11-20T18:18:31Z INFO PKIX already enabled 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to modify profiles] 2019-11-20T18:18:31Z INFO [Authorizing RA Agent to manage lightweight CAs] 2019-11-20T18:18:31Z INFO [Ensuring Lightweight CAs container exists in Dogtag database] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740162547472 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc24b638> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740162547472 2019-11-20T18:18:31Z INFO [Adding default OCSP URI configuration] 2019-11-20T18:18:31Z INFO [Ensuring CA is using LDAPProfileSubsystem] 2019-11-20T18:18:31Z INFO [Migrating certificate profiles to LDAP] 2019-11-20T18:18:31Z DEBUG Created connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG flushing ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket from SchemaCache 2019-11-20T18:18:31Z DEBUG retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-L-DOMAIN-IT.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f17cc289b00> 2019-11-20T18:18:31Z DEBUG Destroyed connection context.ldap2_139740160021648 2019-11-20T18:18:31Z DEBUG request GET https://kdc2.l.domain.it:8443/ca/rest/account/login 2019-11-20T18:18:31Z DEBUG request body '' 2019-11-20T18:18:31Z DEBUG response status 401 2019-11-20T18:18:31Z DEBUG response headers Server: Apache-Coyote/1.1 Cache-Control: private Expires: Thu, 01 Jan 1970 01:00:00 CET WWW-Authenticate: Basic realm="Certificate Authority" Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 951 Date: Wed, 20 Nov 2019 18:18:31 GMT
2019-11-20T18:18:31Z DEBUG response body '<html><head><title>Apache Tomcat/7.0.76 - Error report</title><style><!--H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}HR {color : #525D76;}--></style> </head><body><h1>HTTP Status 401 - </h1><HR size="1" noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b> <u></u></p><p><b>description</b> <u>This request requires HTTP authentication.</u></p><HR size="1" noshade="noshade"><h3>Apache Tomcat/7.0.76</h3></body></html>' 2019-11-20T18:18:31Z ERROR IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run command ipa-server-upgrade manually. 2019-11-20T18:18:31Z DEBUG File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_server_upgrade.py", line 54, in run server.upgrade() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2146, in upgrade upgrade_configuration() File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 2018, in upgrade_configuration ca_enable_ldap_profile_subsystem(ca) File "/usr/lib/python2.7/site-packages/ipaserver/install/server/upgrade.py", line 406, in ca_enable_ldap_profile_subsystem cainstance.migrate_profiles_to_ldap() File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2027, in migrate_profiles_to_ldap _create_dogtag_profile(profile_id, profile_data, overwrite=False) File "/usr/lib/python2.7/site-packages/ipaserver/install/cainstance.py", line 2033, in _create_dogtag_profile with api.Backend.ra_certprofile as profile_api: File "/usr/lib/python2.7/site-packages/ipaserver/plugins/dogtag.py", line 1315, in __enter__ raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
2019-11-20T18:18:31Z DEBUG The ipa-server-upgrade command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 2019-11-20T18:18:31Z ERROR Unexpected error - see /var/log/ipaupgrade.log for details: RemoteRetrieveError: Failed to authenticate to CA REST API
In this kdc I see these errors in getcert list:
Request ID '20190220182014': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Audit,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182015': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=OCSP Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190220182016': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=CA Subsystem,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:24 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes
Request ID '20190220182018': status: MONITORING ca-error: Invalid cookie: u'' stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=IPA RA,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-05 13:58:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190220182019': status: MONITORING ca-error: Server at "https://kdc2.l.domain.it:8443/ca/agent/ca/profileProcess" replied: 1: Invalid Credential. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=L.DOMAIN.IT http://L.DOMAIN.IT subject: CN=kdc2.l.domain.it http://kdc2.l.domain.it,O=L.DOMAIN.IT http://L.DOMAIN.IT expires: 2019-12-10 10:57:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
I still have a working replica, so I could just reinstall and have a working set in a couple of minutes, but I would like to find out what has gone wrong.
The systems are running ipa-server-4.6.5-11.el7.centos.3.x86_64
Any help welcome ;-)
Thanks,
-- Groeten, natxo
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste...
On 01-10-2020 22:05, Kees Bakker via FreeIPA-users wrote:
On 01-10-2020 20:33, Rob Crittenden wrote:
Kees Bakker via FreeIPA-users wrote:
Can I safely do the following?
ipa-getcert resubmit -i 20181127141739 ipa-getcert resubmit -i 20181127141749 ipa-getcert resubmit -i 20181127141750 ipa-getcert resubmit -i 20181127141751
No. Only the renewal master should attempt renewing the certificates.
That conflicts with a remark from Florence in a thread with the subject "Replica not renewing IPA certificates" in January this year on this mailing list.
"Since you are hitting the issue 8164, you can manually force the renewal on the replica (once the CA renewal master has actually renewed the cert) with getcert resubmit."
and the feedback from Roderick was
"Thank you very much! The getcert resubmit has successfully renewed all the certificates in need of renewal."
I'm puzzled, which is it? Can I use "getcert resubmit" or can I not use it?
And, if not, how is the renewal re-triggered (assuming I have manually patched /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to avoid the cookie problem). Restarting certmonger did not help. Restarting all of IPA did not help. -- Kees
Anyway, I decided to take a chance and just do it. Not with the ipa-getcert command but with getcert.
getcert resubmit -i 20181127141751 getcert resubmit -i 20181127141750 getcert resubmit -i 20181127141749 getcert resubmit -i 20181127141739
That worked.
okt 02 21:15:15 rotte.ghs.nl certmonger[184791]: Certificate named "subsystemCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:16:34 rotte.ghs.nl certmonger[185194]: Certificate named "ocspSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:17:46 rotte.ghs.nl certmonger[185599]: Certificate named "auditSigningCert cert-pki-ca" in token "NSS Certificate DB" in database "/etc/pki/pki-tomcat/alias" issued by CA and saved. okt 02 21:18:46 rotte.ghs.nl dogtag-ipa-ca-renew-agent-submit[185607]: Updated certificate not available
That last line is the result of resubmitting IPA RA. I have manually copied /var/lib/ipa/ra-agent.* from the renewal master to this machine.
I think all is well now.
freeipa-users@lists.fedorahosted.org