[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start

12 Feb 2021


      Manuel Gujo via FreeIPA-users wrote:
...
Hi,
I've retried to move date three weeks before 2020-12-08 and renew cert manually
# ipa-getcert resubmit -i "ID"
Resubmitting "20201102185036" to "dogtag-ipa-ca-renew-agent".
Here's one of the output log from journalctl -xe
# journalctl -xe
nov 17 18:08:27 ipa1.itec.lab certmonger[27108]: 2020-11-17 18:08:27 [27108] Internal error
nov 17 18:08:29 ipa1.itec.lab dogtag-ipa-ca-renew-agent-submit[28053]: Traceback (most recent call last):
                                                                         File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 533, in <module>
                                                                           sys.exit(main())
                                                                         File "/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit", line 507, in main
                                                                           kinit_keytab(principal, paths.KRB5_KEYTAB, ccache_filename)
                                                                         File "/usr/lib/python2.7/site-packages/ipalib/install/kinit.py", line 47, in kinit_keytab
                                                                           cred = gssapi.Credentials(name=name, store=store, usage='initiate')
                                                                         File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 64, in __new__
                                                                           store=store)
                                                                         File "/usr/lib64/python2.7/site-packages/gssapi/creds.py", line 148, in acquire
                                                                           usage)
                                                                         File "ext_cred_store.pyx", line 182, in gssapi.raw.ext_cred_store.acquire_cred_from (gssapi/raw/ext_cred
                                                                       GSSError: Major (851968): Unspecified GSS failure.  Minor code may provide more information, Minor (252963
now all the certs (except from kerberos and CA ones) are status: CA_UNREACHABLE.
CA cert is status: NEED_CSR_GEN_PIN
When you are moving back in time are you bringing the IPA services back
up? You need to do this manually if you have an NTP server enabled
(which it is by default).
Minimum you need to restart, in order, dirsrv.target, krb5kdc, named,
httpd, pki-tomcatd. If you restart certmonger it may kick off the
renewals for you (or it might not).
If you can get the services running back in time then runipa config-show
to determine whether this server is configured as the CA renewal server.
Only one in the cluster will have this role and the renewals need to
take place on that server. If this one isn't it and none of the others
report it then you can run: ipa config-mod --ca-renewal-master-server=<fqdn>
As Flo said the NEED_CSR_GEN_PIN is from your using ipa-cacert-manage.
It doesn't affect anything in the short term.
rob

2025

2024

2023

2022

2021

2020

2019

2018

2017

[Freeipa-users] Re: IPA certs expired, pki-tomcatd fails to start