Serge Krawczenko via FreeIPA-users wrote:
Thank you, Florence
Things are getting worse...
I'm on the following version and CentOS 7 and two replicas
sh-4.2# ipa --version
VERSION: 4.6.8, API_VERSION: 2.237
ipa-cert-fix fails with The ipa-cert-fix command failed, exception:
RuntimeError: Failed to get Server-Cert
Indeed, it doesn't present in /etc/httpd/alias though still it presents
in /etc/pki/pki-tomcat/alias
How did you confirm this, using certutil? I assume the httpd process
won't start?
Is the key there:
certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
Is there certmonger tracking for it?
getcert list -d /etc/httpd/alias
If there is then you can get a copy of the certificate from
/var/lib/certmonger/requests and try re-installing it with certutil.
Though later you say you can start everything with a date in the past so
this is confusing.
I went through the suggested document and nothing seems to work.
Manual renew via ipa-getcert resubmit also fails with different errors
such as
status: MONITORING
ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"
replied: 1: Request 9980034 Not Found
On which certificate?
status: CA_UNREACHABLE
ca-error: Error setting up ccache for "host" service on client using
default keytab: Cannot contact any KDC for realm ...
This can happen if all of IPA is not running. certmonger uses the host
keytab to authentication to the IPA API.
rob
I have serious concerns if i can get the cluster back to life.
I still manage to revert system time to the point before expiration and
have all the IPA services running.
However i'm just disoriented at the moment what to fix first, the fact
that certificates were not renewed isn't definitely
the root cause.
Thanks a lot
On Tue, May 17, 2022 at 3:18 PM Florence Blanc-Renaud <flo(a)redhat.com
<mailto:flo@redhat.com>> wrote:
Hi,
On Mon, May 16, 2022 at 5:19 PM Serge Krawczenko via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>> wrote:
Greetings,all
I've been observing multiple issues for some time, unable to
enroll new clients etc.
Finally found out that the possible root cause is the
expired Server-Cert cert-pki-ca and therefore pki-tomcat service
won't start
Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/
Request ID '20171204131518':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=....
subject: CN=....
expires: 2022-04-25 17:06:51 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but
this one.
which IPA version do you have? The tool ipa-cert-fix was introduced
with ipa 4.7.3+ and may help you solve certificate renewal issues.
But before you start anything, please make sure to identify which
server is your CA renewal master and follow the instructions from
https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/...
flo
I'd like to understand how to perform the forced update for this
one, i assume it must be renewed automatically though
I tried to invoke post-save command manually but no luck.
Appreciate any ideas
_______________________________________________
FreeIPA-users mailing list --
freeipa-users(a)lists.fedorahosted.org
<mailto:freeipa-users@lists.fedorahosted.org>
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
<mailto:freeipa-users-leave@lists.fedorahosted.org>
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure