Hello again
I was so hoping the story to end but nope.
ipa-cert-fix managed to renew one of the certs
but failed on the following ones
Enter "yes" to proceed: yes
Proceeding.
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=pki-server cert-fix --ldapi-socket
/var/run/slapd-...socket --agent-uid ipara --cert subsystem --cert
ca_ocsp_signing --extra-cert 268304408 --extra-cert 268304410
ipapython.ipautil: DEBUG: Process finished, return code=1
ipapython.ipautil: DEBUG: stdout=ERROR: [SSL:
SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
ipapython.ipautil: DEBUG: stderr=INFO: Loading password config:
/etc/pki/pki-tomcat/password.conf
INFO: Fixing the following system certs: ['subsystem',
'ca_ocsp_signing']
INFO: Renewing the following additional certs: ['268304408',
'268304410']
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Stopping the instance to proceed with system cert renewal
INFO: Configuring LDAP password authentication
INFO: Setting pkidbuser password via ldappasswd
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Selftests disabled for subsystems: ca
INFO: Resetting password for uid=ipara,ou=people,o=ipaca
SASL/EXTERNAL authentication started
SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
SASL SSF: 0
INFO: Starting the instance
INFO: Sleeping for 10 seconds to allow server time to start...
INFO: Requesting new cert for subsystem
INFO: Getting subsystem cert info for ca
INFO: Trying to setup a secure connection to CA subsystem.
INFO: Starting new HTTPS connection (1):
myhost.com <
http://myhost.com>
INFO: Stopping the instance
INFO: Selftests enabled for subsystems: ca
INFO: Restoring previous LDAP configuration
ipapython.admintool: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 128, in run
replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 251, in replicate_dogtag_certs
cert = x509.load_certificate_from_file(cert_path)
File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 425, in
load_certificate_from_file
with open(filename, mode='rb') as f:
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
IOError: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/subsystem.crt'
ipapython.admintool: ERROR: [Errno 2] No such file or directory:
'/etc/pki/pki-tomcat/certs/subsystem.crt'
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
The csr for subsystem was added according
to https://access.redhat.com/solutions/4852721
At the time of the above failure in /var/log/pki/pki-tomcat/ca/debug:
[20/May/2022:07:43:59][localhost-startStop-1]:
Certutils.verifySystemCertValidityByNickname: failed :
java.lang.Exception: Certutils.verifySystemCertValidityByNickname:
failed: nickname: ocspSigningCert
cert-pki-ca
[20/May/2022:07:43:59][localhost-startStop-1]: CertUtils:
verifySystemCertsByTag() failed: java.lang.Exception:
Certutils.verifySystemCertValidityByNickname: faliled: nickname:
ocspSigningCert cert-pki-c
acause: java.lang.Exception:
Certutils.verifySystemCertValidityByNickname: failed: nickname:
ocspSigningCert cert-pki-ca
[20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: event
CIMC_CERT_VERIFICATION
[20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: event
CIMC_CERT_VERIFICATION
java.lang.Exception: Certutils.verifySystemCertValidityByNickname:
faliled: nickname: ocspSigningCert cert-pki-cacause:
java.lang.Exception: Certutils.verifySystemCertValidityByNickname:
failed: nicknam
e: ocspSigningCert cert-pki-ca
at
com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839)
Nothing else suspicious
Which certificate was re-issued successfully?
It appears that pki-server-certfix, for which IPA is a wrapper, failed
to connect to the server. Whether the OCSP certs errors are related or
not I don't know. Does that cert exist in your PKI NSS database?
rob