I came to the team new and don’t know the background, as to what all had been done, and recently we started getting one issue in DR environment: Using IPA 3.0.0 in both PROD/DR
While trying to delete a host using IPA-UI or CLI, it is giving SSL error in DR(working in Prod): cannot connect to 'https://hostname:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
I set the debug mode and on making request: (ipa ping), I can see below error: ipa: INFO: Connection to https:hostnmae/ipa/xml failed with (SSL_ERROR_RX_RECORD_TOO_LONG) SSL received a record that exceeded the maximum permissible length. ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://hostname, https:hostname1/ipa/xml
On troubleshooting, came across this(https://www.freeipa.org/page/Troubleshooting#Authentication_Errors): Ran below on DR: Use getcert list -d /etc/httpd/alias -n ipaCert Request ID '20170303094036': status: MONITORING stuck: no ------------------------------------ OK, till here, it means certificate nick-named ipaCert is being managed by Certmonger
If it isn't in MONITORING, or it is and things still aren't working, compare the serial number of the certificate with that on other IPA masters: # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
certutil: Could not find cert: ipaCert : PR_FILE_NOT_FOUND_ERROR: File not found
So, something is wrong here. In PROD, it works fine: [root@ProdHostName ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 7 (0x7)
Further, investing the issue on DR:
On DR: [root@DRHostName ipacerts]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Internal_Issuing_CA CT,C,C Internal_Root_CA CT,C,C DRHostName u,u,u
On PROD: [root@ProdHostName ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI FQDN IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Server-Cert u,u,u
I am not sure, but certificate - ‘ipaCert’ not being shown on using ‘certutil’ command seems to be an issue, need guidelines to understand, whether my investigation is on current line and if yes, how to resolve this. Will be happy to provide the output of any command or log-file.
Thanks, Amit.
amitj1jan--- via FreeIPA-users wrote:
I came to the team new and don’t know the background, as to what all had been done, and recently we started getting one issue in DR environment: Using IPA 3.0.0 in both PROD/DR
While trying to delete a host using IPA-UI or CLI, it is giving SSL error in DR(working in Prod): cannot connect to 'https://hostname:443/ca/agent/ca/displayBySerial': (SSL_ERROR_BAD_CERT_ALERT) SSL peer cannot verify your certificate.
I set the debug mode and on making request: (ipa ping), I can see below error: ipa: INFO: Connection to https:hostnmae/ipa/xml failed with (SSL_ERROR_RX_RECORD_TOO_LONG) SSL received a record that exceeded the maximum permissible length. ipa: ERROR: cannot connect to Gettext('any of the configured servers', domain='ipa', localedir=None): https://hostname, https:hostname1/ipa/xml
On troubleshooting, came across this(https://www.freeipa.org/page/Troubleshooting#Authentication_Errors): Ran below on DR: Use getcert list -d /etc/httpd/alias -n ipaCert Request ID '20170303094036': status: MONITORING stuck: no
OK, till here, it means certificate nick-named ipaCert is being managed by Certmonger
If it isn't in MONITORING, or it is and things still aren't working, compare the serial number of the certificate with that on other IPA masters: # certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
certutil: Could not find cert: ipaCert : PR_FILE_NOT_FOUND_ERROR: File not found
So, something is wrong here. In PROD, it works fine: [root@ProdHostName ~]# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial Serial Number: 7 (0x7)
Further, investing the issue on DR:
On DR: [root@DRHostName ipacerts]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI Internal_Issuing_CA CT,C,C Internal_Root_CA CT,C,C DRHostName u,u,u
On PROD: [root@ProdHostName ~]# certutil -L -d /etc/httpd/alias Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI FQDN IPA CA CT,C,C ipaCert u,u,u Signing-Cert u,u,u Server-Cert u,u,u
I am not sure, but certificate - ‘ipaCert’ not being shown on using ‘certutil’ command seems to be an issue, need guidelines to understand, whether my investigation is on current line and if yes, how to resolve this. Will be happy to provide the output of any command or log-file.
certmonger only checks existence of certificates when tracking is started. It otherwise maintains its own state and doesn't check the contents of the NSS database until it is needed which explains why certmonger is managing a cert that isn't there: it was removed from the Apache NSS database sometime after tracking was started.
I don't know what DR means. Is this a separate environment from your production (PROD) with its own CA, etc?
Is there just a single master or are there multiples in each environment?
You might look in /etc/httpd/alias to see if someone in the past backed up or moved the original databases.
rob
By PROD/DR, I meant Production/Disaster Recovery environment. And yes there are two IPA servers in both PROD/DR environment.
Also, came across the fact that while in PROD, SSL was implemented using self-signed certs(where things r working), In DR environment CA signed certs were used later for SSL implementation.
Is there a chance something gone wrong in SSL implementation(using CA signed certs) and resulting in this issue.
What can we do to resolve this issue?
We were thinking of two options, if above is true: a. Possible work around, if it is there to fix this a. or if "a" is not possible , revert to self-signed certs SSL
What u suggest.
amitj1jan--- via FreeIPA-users wrote:
By PROD/DR, I meant Production/Disaster Recovery environment. And yes there are two IPA servers in both PROD/DR environment.
Also, came across the fact that while in PROD, SSL was implemented using self-signed certs(where things r working), In DR environment CA signed certs were used later for SSL implementation.
Is there a chance something gone wrong in SSL implementation(using CA signed certs) and resulting in this issue.
What can we do to resolve this issue?
We were thinking of two options, if above is true: a. Possible work around, if it is there to fix this a. or if "a" is not possible , revert to self-signed certs SSL
What u suggest.
I need more information on your environment. Are PROD and DR completely separately installed IPA environments or do you just treat them as separate?
From your original e-mail (completely stripped out of your response) it looked like the reverse of what you just said. PROD was using an IPA CA and DR was using self-signed certs.
The underlying reason for the error is that on DR the NSS database was replaced with a new one containing only self-signed certs. When a host or service with a cert is deleted and a CA is configured IPA will attempt to revoke the cert. This is where it is failing for you, because ipaCert (the RA agent cert used to talk to dogtag) is completely missing.
rob
freeipa-users@lists.fedorahosted.org