On 10/20/18 5:40 AM, None via FreeIPA-users wrote:
Thanks Flo.
[1] Service pki-tomcatd(a)pki-tomcat.service is active (running)
[2] /var/log/pki/pki-tomcat/ca/debug reads among others:
- SSL handshake happened
- Could not connect to LDAP server host
ca-ldap03.us.domain.com port 636 Error
netscape.ldap.LDAPException: Authentication failed (48)
- Internal Database Error encountered: Could not connect to LDAP server host
ca-ldap03.us.domain.com port 636 Error netscape.ldap.LDAPException: Authentication failed
(48)
I believe 48 is LDAP_INAPPROPRIATE_AUTH
[3] /var/log/ipa/ipactl.log reads:
-Failed to check CA status: cannot connect to 'http://ca-ldap03.us.domain.com:8080
/ca/admin/ca/getStatus': [Errno 111] Connection refused
-Waiting until the CA is running
-request POST
http://ca-ldap03.us.domain.com:8080/ca/admin/ca/getStatus
-request body ''
-The CA status is: check interrupted due to error: cannot connect to 'http://ca-ld
ap03.us.domain.com:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused
- Waiting for CA to start...
- request POST
http://ca-ldap03.us.domain.com:8080/ca/admin/ca/getStatus
-request body ''
- The CA status is: check interrupted due to error: cannot connect to 'http://ca-ld
ap03.us.domain.com:8080/ca/admin/ca/getStatus': [Errno 111] Connection refused
[4] list of certificates
# getcert list | egrep -e status -e expire -e certificate
Number of certificates and requests being tracked: 6.
status: CA_WORKING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:38 UTC
status: CA_WORKING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:35 UTC
status: CA_WORKING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-08-14 20:49:36 UTC
status: MONITORING
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
expires: 2036-08-24 20:49:35 UTC
status: CA_UNREACHABLE
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
expires: 2018-11-02 14:48:48 UTC
status: CA_WORKING
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
expires: 2018-08-14 20:50:00 UTC
Hi,
many certificates are expired and failed to renew. CA_WORKING means that
the host is not the renewal master, and is trying to download the
certificates from LDAP (PKI certs are renewed first on the renewal
master, which in turns puts them in the LDAP store, and the replicas
download them from LDAP).
You need first to identify who is the renewal master in your topology:
# kinit admin
# ipa config-show | grep 'IPA CA renewal master'
IPA CA renewal master:
hostx.domain.com
(The command should return a single host, and this host must be active).
- If this node is still available, you will need to fix this one first
(check that all certificates are still valid, or fix the renewal).
- If this node is not available anymore in your topology, you will need
to select another master and move the renewal master role to this
selected master, see [1]. The next step is to fix the renewal on this node.
HTH,
flo
[1]
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/...
[5] journalctl -u certmonger --since yesterday
ca-ldap03.us.domain.com ipa-submit[1435]: GSSAPI client step 2
ca-ldap03.us.domain.com certmonger[963]: 2018-10-18 16:25:52 [963] Error 7 connecting
to
https://ca-ldap03.us.domain.com:8443/ca/agent/ca/pro
ca-ldap03.us.domain.com python2[1409]: GSSAPI client step 1
[6] LDAP and HTTPD certs are issued by DigiCert, if that matters here.
So I guess something needs to be done to resolve [4] ?
thanks in advance. Zarko
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...