Sayfiddin, Farhad via FreeIPA-users wrote:
We have two replica servers sl1mmgplidm0001/2.
sl1mmgplidm0001 is functioning as CRL master and has no issues.
[root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: sl1mmgplidm0001
[root@sl1mmgplidm0001 ~]#
[root@sl1mmgplidm0001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0001 ~]#
sl1mmgplidm0002 is having an issue where pki-tomcat process would not start due to expired cert. It has CA_UNREACHABLE error
[root@sl1mmgplidm0002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0002 ~]#
[root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200 Request ID '20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://sl1mmgplidm0002:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA
subject: CN=sl1mmgplidm0002,O=IPA
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
[root@sl1mmgplidm0002 ~]#
Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help.
We need to see the full output of getcert list to see what status all the certs are in.
You might also try this: https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authent...
rob
Here is the output of getcert list
[root@sl1mmgplidm0002 ~]# getcert list Number of certificates and requests being tracked: 8. Request ID '20170214143155': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=CA Audit,O=IPA.GEN.ZONE expires: 2020-12-01 18:52:55 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170214143156': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE expires: 2020-12-01 18:52:54 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170214143157': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=CA Subsystem,O=IPA.GEN.ZONE expires: 2020-12-01 18:53:15 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170214143158': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=Certificate Authority,O=IPA.GEN.ZONE expires: 2037-01-18 20:02:36 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20170214143159': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=IPA RA,O=IPA.GEN.ZONE expires: 2020-12-01 18:52:44 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20170214143200': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE expires: 2019-01-08 20:16:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20170214143201': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE expires: 2020-12-23 03:40:21 UTC principal name: ldap/sl1mmgplidm0002.ipa.gen.zone@IPA.GEN.ZONE key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv IPA-GEN-ZONE track: yes auto-renew: yes Request ID '20170214143202': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IPA.GEN.ZONE subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE expires: 2020-12-23 03:40:31 UTC principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone@IPA.GEN.ZONE key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
Already tried this solution with no luck:
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpress.com_...
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
Server-Cert u,u,u ipaCert u,u,u IPA.GEN.ZONE IPA CA CT,C,C
[root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t ',,' [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE IPA CA' -t 'CT,C,C'
Curl command still fails
[root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert /etc/ipa/ca.crt https://%60hostname%60:8443/ca/agent/ca/profileReview % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0* About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0) * Trying 172.20.0.36... * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443 (#0) * Initializing NSS with certpath: sql:/etc/httpd/alias/ * CAfile: /etc/ipa/ca.crt CApath: none * Server certificate: * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE * start date: Jan 18 20:16:52 2017 GMT * expire date: Jan 08 20:16:52 2019 GMT * common name: sl1mmgplidm0002.ipa.gen.zone * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE) * Peer's Certificate has expired. 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0 * Closing connection 0 curl: (60) Peer's Certificate has expired. More details here: http://curl.haxx.se/docs/sslcerts.html
curl performs SSL certificate verification by default, using a "bundle" of Certificate Authority (CA) public keys (CA certs). If the default bundle file isn't adequate, you can specify an alternate file using the --cacert option. If this HTTPS server uses a certificate signed by a CA represented in the bundle, the certificate verification probably failed due to a problem with the certificate (it might be expired, or the name might not match the domain name in the URL). If you'd like to turn off curl's verification of the certificate, use the -k (or --insecure) option.
-----Original Message----- From: Rob Crittenden rcritten@redhat.com Sent: Thursday, June 13, 2019 4:08 PM To: FreeIPA users list freeipa-users@lists.fedorahosted.org Cc: Sayfiddin, Farhad fsayfiddin@tkcholdings.com Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process would not start
Sayfiddin, Farhad via FreeIPA-users wrote:
We have two replica servers sl1mmgplidm0001/2.
sl1mmgplidm0001 is functioning as CRL master and has no issues.
[root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal master'
IPA CA renewal master: sl1mmgplidm0001
[root@sl1mmgplidm0001 ~]#
[root@sl1mmgplidm0001 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: RUNNING
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0001 ~]#
sl1mmgplidm0002 is having an issue where pki-tomcat process would not start due to expired cert. It has CA_UNREACHABLE error
[root@sl1mmgplidm0002 ~]# ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
ipa_memcached Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
pki-tomcatd Service: STOPPED
smb Service: RUNNING
winbind Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
[root@sl1mmgplidm0002 ~]#
[root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200 Request ID '20170214143200':
status: CA_UNREACHABLE
ca-error: Error 60 connecting to https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002-3 A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e= : Peer certificate cannot be authenticated with given CA certificates.
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=IPA
subject: CN=sl1mmgplidm0002,O=IPA
expires: 2019-01-08 20:16:52 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
[root@sl1mmgplidm0002 ~]#
Tried running renew_ca_cert command and "getcert resubmit -i" with no luck.
Don't run ipa-cacert-manage renew. It renews only the root CA cert which won't help.
We need to see the full output of getcert list to see what status all the certs are in.
You might also try this: https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpress.com_...
rob
freeipa-users@lists.fedorahosted.org