Grateful for your response, Rob

On Tue, May 17, 2022 at 9:41 PM Rob Crittenden <rcritten@redhat.com> wrote:

> sh-4.2# ipa --version
> VERSION: 4.6.8, API_VERSION: 2.237
>
> ipa-cert-fix fails with  The ipa-cert-fix command failed, exception:
> RuntimeError: Failed to get Server-Cert
> Indeed, it doesn't present in /etc/httpd/alias though still it presents
> in /etc/pki/pki-tomcat/alias

How did you confirm this, using certutil? I assume the httpd process
won't start?


 ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

httpd process started, but i didn't mention (sorry) i have letsencrypt certs for httpd installed via ipa-server-certinstall
could this be the reason why the internal certs were not updated?


Here's all i have in /etc/httpd/alias
certutil -L -d /etc/httpd/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

<mydomain> IPA CA                                   CT,C,C
CN=R3,O=Let's Encrypt,C=US                                   C,,  
<mydomain> IPA CA                                   CT,C,C
CN=ISRG Root X1,O=Internet Security Research Group,C=US      C,,  
<mydomain> IPA CA                                   CT,C,C
CN=<mydomain>                                       u,u,u (letsencrypt for my domain)

Yes, using certutil i can see the absence of Server-Cert in /etc/httpd/alias
Also for some reason when trying to 

getcert list -d /etc/httpd/alias 

I'm only getting this without detailed list

Number of certificates and requests being tracked: 8.

While on 

getcert list -d /etc/pki/pki-tomcat/alias 

outputs all the certificates and status

 
Is the key there:

certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt


I have key and i have "Server-Cert cert-pki-ca" in /etc/pki/pki-tomcat/alias
I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat alias and imported into
/etc/httpd/alias using p12util

Still, ipa-cert-fix is unable to find it: 

ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found

ipapython.admintool: DEBUG:   File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute
    return_value = self.run()
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 100, in run
    certs, extra_certs = expired_certs(now)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 142, in expired_certs
    return expired_dogtag_certs(now), expired_ipa_certs(now)
  File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 191, in expired_ipa_certs
    cert = db.get_cert('Server-Cert')
  File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in get_cert
    raise RuntimeError("Failed to get %s" % nickname)

ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert
ipapython.admintool: ERROR: Failed to get Server-Cert
ipapython.admintool: ERROR: The ipa-cert-fix command failed.


 
Is there certmonger tracking for it?

getcert list -d /etc/httpd/alias

If there is then you can get a copy of the certificate from
/var/lib/certmonger/requests and try re-installing it with certutil.
Though later you say you can start everything with a date in the past so
this is confusing.


certmonger service is running attempts to renew certificates permanently but fails
i can see requests for valid ID's in  /var/lib/certmonger/requests but they still not processed (probably my attempts to resubmit manually)


 
> I went through the suggested document and nothing seems to work.
>
> Manual renew via ipa-getcert resubmit also fails with different errors
> such as
> status: MONITORING
> ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"
> replied: 1: Request 9980034 Not Found

On which certificate?


Request ID '20171204131516':
status: MONITORING
ca-error: Server at "https://myhostname:8443/ca/agent/ca/profileProcess" replied: 1: Request 9980034 Not Found
stuck: no
key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent-selfsigned
expires: 2041-12-28 08:53:41 UTC
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
 
And there's no errors for others in /etc/pki/pki-tomcat/alias

> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm ...

This can happen if all of IPA is not running. certmonger uses the host
keytab to authentication to the IPA API.


ok we ignore this for now.

The certificates which were not renewed are:

"ocspSigningCert cert-pki-ca"
"subsystemCert cert-pki-ca"
"Server-Cert cert-pki-ca"

What else should i try?


 
rob

Great thanks