> sh-4.2# ipa --version
> VERSION: 4.6.8, API_VERSION: 2.237
>
> ipa-cert-fix fails with The ipa-cert-fix command failed, exception:
> RuntimeError: Failed to get Server-Cert
> Indeed, it doesn't present in /etc/httpd/alias though still it presents
> in /etc/pki/pki-tomcat/alias
How did you confirm this, using certutil? I assume the httpd process
won't start?
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
httpd process started, but i didn't mention (sorry) i have letsencrypt certs for httpd installed via ipa-server-certinstall
could this be the reason why the internal certs were not updated?
Here's all i have in /etc/httpd/alias
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
<mydomain> IPA CA CT,C,C
CN=R3,O=Let's Encrypt,C=US C,,
<mydomain> IPA CA CT,C,C
CN=ISRG Root X1,O=Internet Security Research Group,C=US C,,
<mydomain> IPA CA CT,C,C
CN=<mydomain> u,u,u (letsencrypt for my domain)
Yes, using certutil i can see the absence of Server-Cert in /etc/httpd/alias
Also for some reason when trying to
getcert list -d /etc/httpd/alias
I'm only getting this without detailed list
Number of certificates and requests being tracked: 8.
While on
getcert list -d /etc/pki/pki-tomcat/alias
outputs all the certificates and status
Is the key there:
certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
I have key and i have "Server-Cert cert-pki-ca" in /etc/pki/pki-tomcat/alias
I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat alias and imported into
/etc/httpd/alias using p12util
Still, ipa-cert-fix is unable to find it:
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
return_value = self.run()
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 100, in run
certs, extra_certs = expired_certs(now)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 142, in expired_certs
return expired_dogtag_certs(now), expired_ipa_certs(now)
File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 191, in expired_ipa_certs
cert = db.get_cert('Server-Cert')
File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in get_cert
raise RuntimeError("Failed to get %s" % nickname)
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert
ipapython.admintool: ERROR: Failed to get Server-Cert
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
Is there certmonger tracking for it?
getcert list -d /etc/httpd/alias
If there is then you can get a copy of the certificate from
/var/lib/certmonger/requests and try re-installing it with certutil.
Though later you say you can start everything with a date in the past so
this is confusing.
certmonger service is running attempts to renew certificates permanently but fails
i can see requests for valid ID's in /var/lib/certmonger/requests but they still not processed (probably my attempts to resubmit manually)
> I went through the suggested document and nothing seems to work.
>
> Manual renew via ipa-getcert resubmit also fails with different errors
> such as
> status: MONITORING
> ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"
> replied: 1: Request 9980034 Not Found
On which certificate?
Request ID '20171204131516':
status: MONITORING
ca-error: Server at "
https://myhostname:8443/ca/agent/ca/profileProcess" replied: 1: Request 9980034 Not Found
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent-selfsigned
expires: 2041-12-28 08:53:41 UTC
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
And there's no errors for others in /etc/pki/pki-tomcat/alias
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm ...
This can happen if all of IPA is not running. certmonger uses the host
keytab to authentication to the IPA API.
ok we ignore this for now.
The certificates which were not renewed are:
"ocspSigningCert cert-pki-ca"
"subsystemCert cert-pki-ca"
"Server-Cert cert-pki-ca"
What else should i try?
rob
Great thanks