Ricardo Mendes wrote:
Hi Rob,
Again thanks for your reply. So I got went to the commit that lasted from 2017 and re-ran setup-le.sh Output is here:
In the end I get this error:
ipaplatform.redhat.tasks: INFO: Systemwide CA database updated. ipalib.backend: DEBUG: Destroyed connection context.rpcclient_140213913461328 ipapython.admintool: INFO: The ipa-certupdate command was successful certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
If I try renew-le
# bash renew-le.sh certutil: could not find certificate named "Server-Cert": PR_FILE_NOT_FOUND_ERROR: File not found certutil: Server-Cert is neither a key-type nor a nickname nor a key-id: SEC_ERROR_INVALID_ARGS: security library: invalid arguments.
I think you need to see what certs and keys are in /etc/httpd/alias. Sounds like there is no Server-Cert nickname.
certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
(btw https://lists.fedoraproject.org is down)
Related to the Fedora infrastructure move.
rob
Ricardo Mendes via FreeIPA-users wrote:
Ok so I don't know what happened the server really did take a long time to come up but it did.
Everything looks pretty much the same. The setup-le.sh command I ran that said
The ipa-certupdate command was successful
But I can't see it. I have to start ipa services with --ignore-service-failure and --skip-version-check When I go to web I still see the old expired certificate from May 21st.
I tried to run renew-le and I get this error:
# bash renew-le.sh Error opening Certificate /var/lib/ipa/certs/httpd.crt 140430772283280:error:02001002:system library:fopen:No such file or directory:bss_file.c:402:fopen('/var/lib/ipa/certs/httpd.crt','r') 140430772283280:error:20074002:BIO routines:FILE_CTRL:system lib:bss_file.c:404: unable to load certificate
That's the incompatibilities I mentioned. I think if you pop the top one or two commits off then it will start to work again. Look for a commit that's like "switch to mod_ssl" and pop that off.
rob
I think you need to see what certs and keys are in /etc/httpd/alias. Sounds like there is no Server-Cert nickname.
certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
This is the output, and I'm adding getcert list in the end as well.
# certutil -L -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
DSTRootCAX3 C,, CN=main.domain.io u,u,u letsencryptx3 C,, letsencryptx3 C,, ISRGRootCAX1 C,, DOMAIN.IO IPA CA CT,C,
# certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt certutil: Checking token "NSS Certificate DB" in slot "NSS User Private Key and Certificate Services" < 0> rsa 493a92843c598413e3f50ca923706417821bf392 CN=main.domain.io < 1> rsa e946257bb7a486f489287ccd72dab14067eae2b7 CN=main.domain.io < 2> rsa 8bbe08dd006063eea896aee19f24da6b5f28f348 CN=main.domain.io < 3> rsa ac96e477d65db3ba63213332c30ac7733bf70a10 (orphan) < 4> rsa b40bea3d28cce1ea7274f8ecf47b2d70f5e0c0c1 CN=main.domain.io #
# getcert list Number of certificates and requests being tracked: 7. Request ID '20190220114014': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=main.domain.io,O=DOMAIN.IO expires: 2021-02-20 11:40:16 UTC principal name: krbtgt/DOMAIN.IO@DOMAIN.IO key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20190819230939': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=CA Audit,O=DOMAIN.IO expires: 2021-02-09 11:36:51 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190819230940': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=OCSP Subsystem,O=DOMAIN.IO expires: 2021-02-09 11:36:48 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190819230941': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=CA Subsystem,O=DOMAIN.IO expires: 2021-02-09 11:36:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190819230942': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=Certificate Authority,O=DOMAIN.IO expires: 2039-02-20 11:36:43 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20190819230943': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=IPA RA,O=DOMAIN.IO expires: 2021-02-09 11:37:44 UTC key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20190819230944': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOMAIN.IO subject: CN=main.domain.io,O=DOMAIN.IO expires: 2021-02-09 11:36:49 UTC dns: main.domain.io key usage: digitalSignature,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
(btw https://lists.fedoraproject.org is down)
Related to the Fedora infrastructure move.
hope all is going well!
Ricardo
freeipa-users@lists.fedorahosted.org