certmonger should have them moved into the state NOTIFYING_VALIDITY and
start the renewal.
Create /etc/sysconfig/certmonger with the contents: OPTS=-d3
Restart certmonger
Go back in time
Resubmit
Check logs.
rob
##############
To: 'FreeIPA users list' <freeipa-users(a)lists.fedorahosted.org>; Florence
Blanc-Renaud <flo(a)redhat.com>; Rob Crittenden <rcritten(a)redhat.com>
Subject: RE: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not
start
This is affecting 3 out of 4 our IPA servers. Would you recommend any other solution for
this issue?
We have only one CRL Master IPA server does not have this issue.
Would breaking the replication and recreating replica from one good CRL Master IPA server
could work?
-----Original Message-----
From: Sayfiddin, Farhad via FreeIPA-users <freeipa-users(a)lists.fedorahosted.org>
Sent: Wednesday, June 19, 2019 2:51 PM
To: Florence Blanc-Renaud <flo(a)redhat.com>; FreeIPA users list
<freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden <rcritten(a)redhat.com>
Subject: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not start
Thanks for your reply. In the journal I did not see anything meaningful when I ran
"certmonger resubmit -i 20170214143200 "
Jan 07 20:23:29 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT=
MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89
TOS=0x00 PREC=0x00 TTL=126 ID=28772 PROTO=UDP SPT=52233 DPT=161 LEN=69 Jan 07 20:23:32
sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.598658399 -0600]
csngen_new_csn - Warning: too much time skew (-14058896 secs). Current seqnum=1 Jan 07
20:23:32 sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 1 Jan 07 20:23:32
sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 2 Jan 07 20:23:32
sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: GSSAPI server step 3 Jan 07 20:23:32
sl1mmgplidm0002.ipa.gen.zone ns-slapd[6208]: [07/Jan/2019:20:23:32.630614940 -0600]
csngen_new_csn - Warning: too much time skew (-14058897 secs). Current seqnum=1 Jan 07
20:23:38 sl1mmgplidm0002.ipa.gen.zone kernel: FINAL_REJECT: IN=ens192 OUT=
MAC=00:50:56:b2:39:92:00:1c:7f:61:a6:27:08:00 SRC=10.48.10.142 DST=172.20.0.36 LEN=89
TOS=0x00 PREC=0x00 TTL=126 ID=28773 PROTO=UDP SPT=59164 DPT=161 LEN=69 Jan 07 20:23:45
sl1mmgplidm0002.ipa.gen.zone certmonger[6749]: Certificate named "Server-Cert
cert-pki-ca" in token "NSS Certificate DB" in database
"/etc/pki/pki-tomcat/alias" will not be valid after 20190108201652.
/var/log/pki/pki-tomcat/ca/debug did not generate anything when I ran "certmonger
resubmit -i 20170214143200 "
Any thoughts?
-----Original Message-----
From: Florence Blanc-Renaud <flo(a)redhat.com>
Sent: Tuesday, June 18, 2019 11:20 AM
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Rob Crittenden
<rcritten(a)redhat.com>
Subject: Re: [Freeipa-users] Re: Cert expired for pki-tomcat and process would not
start
> Thanks for your response Rob, really appreciate it.
>
> I have stopped the IPA and went back in time of Jan 7 of 2019 since
> Server-Cert cert-pki-ca would expire on: 2019-01-08 20:16:52 UTC
>
> Started dirsrv, krb5kdc and pki-tomcatd(a)pki-tomcat.service manually.
>
> [root@sl1mmgplidm0002 ~]# date
> Mon Jan 7 20:23:50 CST 2019
> [root@sl1mmgplidm0002 ~]#
>
> [root@sl1mmgplidm0002 ~]# ipactl status Directory Service: RUNNING
> krb5kdc Service: RUNNING kadmin Service: STOPPED named Service:
> STOPPED ipa_memcached Service: STOPPED httpd Service: STOPPED
> ipa-custodia Service: STOPPED pki-tomcatd Service: STOPPED smb
> Service: STOPPED winbind Service: STOPPED ipa-otpd Service: STOPPED
> ipa-dnskeysyncd Service: STOPPED
> ipa: INFO: The ipactl command was successful
> [root@sl1mmgplidm0002 ~]# systemctl status
> pki-tomcatd(a)pki-tomcat.service ● pki-tomcatd(a)pki-tomcat.service - PKI Tomcat Server
pki-tomcat
> Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor
preset: disabled)
> Active: active (running) since Mon 2019-01-07 20:17:53 CST; 4min 59s ago
> Process: 58524 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited,
status=0/SUCCESS)
> Main PID: 58637 (java)
> CGroup:
/system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd(a)pki-tomcat.service
> └─58637 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java
-DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni
-classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tom...
>
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO:
> Starting ProtocolHandler ["http-bio-8443"] Jan 07 20:17:57
> sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07, 2019 8:17:57 PM
> org.apache.coyote.AbstractProtocol start Jan 07 20:17:57
> sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Starting
> ProtocolHandler ["ajp-bio-0:0:0:0:0:0:0:1-8009"] Jan 07 20:17:57
> sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener:
> org.apache.catalina.core.StandardServer[after_start]
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Subsystem CA
is disabled.
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: Check
/var/log/pki/pki-tomcat/ca/selftests.log for possible errors.
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: To enable
the subsystem:
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: PKIListener: pki-server
subsystem-enable -i pki-tomcat ca
> Jan 07 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: Jan 07,
> 2019 8:17:57 PM org.apache.catalina.startup.Catalina start Jan 07
> 20:17:57 sl1mmgplidm0002.ipa.gen.zone server[58637]: INFO: Server
> startup in 2477 ms
> [root@sl1mmgplidm0002 ~]#
>
> Ran " certmonger resubmit -i 20170214143200" but cert is still showing to
expires on same date, it is not forcing for it to update.
>
> Status is changed to Monitoring now, but it is only because I went back in time.
>
> Request ID '20170214143200':
> status: MONITORING
> stuck: no
> key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
> expires: 2019-01-08 20:16:52 UTC
> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
>
> I have tried to restart certmonger with no luck. Please advise.
>
Hi,
when you run certmonger resubmit, please have a look at the logs generated in the
journal. When everything goes smoothly, you should be able to see the following steps in
the journal (may be separated by other unrelated logs):
dogtag-ipa-ca-renew-agent-submit[20831]: Forwarding request to dogtag-ipa-renew-agent
dogtag-ipa-ca-renew-agent-submit[20831]: dogtag-ipa-renew-agent returned 5 The above 2
lines may appear multiple times and show that the CA helper is using another helper. This
other command is directly contacting PKI and authenticates with the RA cert (the
'ipaCert' stored in /etc/http/alias). It is calling the profileSubmit API, then
the profileReview API.
Then at around the same time in /var/log/pki/pki-tomcat/ca/debug, check if there is a
line with "uri = /ca/ee/ca/profileSubmit" and another one with "uri =
/ca/ee/ca/profileReview". This shows that the PKI server received a renewal request.
The following lines may help diagnose any issue (for instance the authentication
failed).
flo
> -----Original Message-----
> From: Rob Crittenden <rcritten(a)redhat.com>
> Sent: Monday, June 17, 2019 2:17 PM
FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process
> would not start
>
>> Here is the output of getcert list
>
> I think if you stop IPA, go back in time to when this server cert is
> valid (it is the TLS cert for the CA server) and manually start
> dirsrv, dogtag and krb5 then run certmonger resubmit -i 20170214143200
>
> You want to be sure ntpd (or chronyc) isn't running to force time back to now.
>
> rob
>
>>
>> [root@sl1mmgplidm0002 ~]# getcert list Number of certificates and
>> requests being tracked: 8.
>> Request ID '20170214143155':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=CA Audit,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:55 UTC
>> key usage: digitalSignature,nonRepudiation
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143156':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=OCSP Subsystem,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:54 UTC
>> eku: id-kp-OCSPSigning
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143157':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=CA Subsystem,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:53:15 UTC
>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143158':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=Certificate Authority,O=IPA.GEN.ZONE
>> expires: 2037-01-18 20:02:36 UTC
>> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143159':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=IPA RA,O=IPA.GEN.ZONE
>> expires: 2020-12-01 18:52:44 UTC
>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143200':
>> status: CA_UNREACHABLE
>> ca-error: Error 60 connecting to
https://sl1mmgplidm0002.ipa.gen.zone:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
>> certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
>> CA: dogtag-ipa-renew-agent
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2019-01-08 20:16:52 UTC
>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143201':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-GEN-ZONE/pwdfile.txt'
>> certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-GEN-ZONE',nickname='Server-Cert',token='NSS
Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2020-12-23 03:40:21 UTC
>> principal name: ldap/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv
IPA-GEN-ZONE
>> track: yes
>> auto-renew: yes
>> Request ID '20170214143202':
>> status: MONITORING
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>> certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
>> CA: IPA
>> issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> expires: 2020-12-23 03:40:31 UTC
>> principal name: HTTP/sl1mmgplidm0002.ipa.gen.zone(a)IPA.GEN.ZONE
>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command:
>> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
>> track: yes
>> auto-renew: yes
>>
>> Already tried this solution with no luck:
>>
>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre
>> s
>> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw
>> i
>> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp
>> S
>> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO
>> q
>> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn
>> 3
>> 204Kkt_3BRIc80&e=
>>
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -L
>>
>> Certificate Nickname Trust Attributes
>>
>> SSL,S/MIME,JAR/XPI
>>
>> Server-Cert u,u,u
>> ipaCert u,u,u
>> IPA.GEN.ZONE IPA CA CT,C,C
>>
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE
IPA CA' -t ',,'
>> [root@sl1mmgplidm0002 ~]# certutil -d /etc/httpd/alias -M -n 'IPA.GEN.ZONE
IPA CA' -t 'CT,C,C'
>>
>> Curl command still fails
>>
>> [root@sl1mmgplidm0002 ~]# SSL_DIR=/etc/httpd/alias/ curl -v -o /dev/null --cacert
/etc/ipa/ca.crt
https://urldefense.proofpoint.com/v2/url?u=https-3A__-2560hostname-2560-3...
>> % Total % Received % Xferd Average Speed Time Time Time
Current
>> Dload Upload Total Spent Left Speed
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0*
About to connect() to sl1mmgplidm0002.ipa.gen.zone port 8443 (#0)
>> * Trying 172.20.0.36...
>> * Connected to sl1mmgplidm0002.ipa.gen.zone (172.20.0.36) port 8443
>> (#0)
>> * Initializing NSS with certpath: sql:/etc/httpd/alias/
>> * CAfile: /etc/ipa/ca.crt
>> CApath: none
>> * Server certificate:
>> * subject: CN=sl1mmgplidm0002.ipa.gen.zone,O=IPA.GEN.ZONE
>> * start date: Jan 18 20:16:52 2017 GMT
>> * expire date: Jan 08 20:16:52 2019 GMT
>> * common name: sl1mmgplidm0002.ipa.gen.zone
>> * issuer: CN=Certificate Authority,O=IPA.GEN.ZONE
>> * NSS error -8181 (SEC_ERROR_EXPIRED_CERTIFICATE)
>> * Peer's Certificate has expired.
>> 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:--
0
>> * Closing connection 0
>> curl: (60) Peer's Certificate has expired.
>> More details here:
>>
https://urldefense.proofpoint.com/v2/url?u=http-3A__curl.haxx.se_docs
>> _
>>
sslcerts.html&d=DwIDaQ&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&
>> r
>> =d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=Z8zd7LpACPgATImRFhdrk5
>> 2
>> 3IIIKpfTP44sN22Z5k5k&s=PkVO7ngwiWZqwUzfzDqJ6HiWaal9XEglmhYc4u_gkps&e=
>>
>> curl performs SSL certificate verification by default, using a
"bundle"
>> of Certificate Authority (CA) public keys (CA certs). If the default
>> bundle file isn't adequate, you can specify an alternate file
>> using the --cacert option.
>> If this HTTPS server uses a certificate signed by a CA represented in
>> the bundle, the certificate verification probably failed due to a
>> problem with the certificate (it might be expired, or the name might
>> not match the domain name in the URL).
>> If you'd like to turn off curl's verification of the certificate, use
>> the -k (or --insecure) option.
>>
>>
>> -----Original Message-----
>> From: Rob Crittenden <rcritten(a)redhat.com>
>> Sent: Thursday, June 13, 2019 4:08 PM
>> To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
>> Cc: Sayfiddin, Farhad <fsayfiddin(a)tkcholdings.com>
>> Subject: Re: [Freeipa-users] Cert expired for pki-tomcat and process
>> would not start
>>
>>> We have two replica servers sl1mmgplidm0001/2.
>>>
>>>
>>>
>>> sl1mmgplidm0001 is functioning as CRL master and has no issues.
>>>
>>>
>>>
>>> [root@sl1mmgplidm0001 ~]# ipa config-show | grep 'CA renewal
master'
>>>
>>> IPA CA renewal master: sl1mmgplidm0001
>>>
>>> [root@sl1mmgplidm0001 ~]#
>>>
>>>
>>>
>>> [root@sl1mmgplidm0001 ~]# ipactl status
>>>
>>> Directory Service: RUNNING
>>>
>>> krb5kdc Service: RUNNING
>>>
>>> kadmin Service: RUNNING
>>>
>>> named Service: RUNNING
>>>
>>> ipa_memcached Service: RUNNING
>>>
>>> httpd Service: RUNNING
>>>
>>> ipa-custodia Service: RUNNING
>>>
>>> pki-tomcatd Service: RUNNING
>>>
>>> smb Service: RUNNING
>>>
>>> winbind Service: RUNNING
>>>
>>> ipa-otpd Service: RUNNING
>>>
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@sl1mmgplidm0001 ~]#
>>>
>>>
>>>
>>> sl1mmgplidm0002 is having an issue where pki-tomcat process would
>>> not start due to expired cert. It has CA_UNREACHABLE error
>>>
>>>
>>>
>>> [root@sl1mmgplidm0002 ~]# ipactl status
>>>
>>> Directory Service: RUNNING
>>>
>>> krb5kdc Service: RUNNING
>>>
>>> kadmin Service: RUNNING
>>>
>>> named Service: RUNNING
>>>
>>> ipa_memcached Service: RUNNING
>>>
>>> httpd Service: RUNNING
>>>
>>> ipa-custodia Service: RUNNING
>>>
>>> pki-tomcatd Service: STOPPED
>>>
>>> smb Service: RUNNING
>>>
>>> winbind Service: RUNNING
>>>
>>> ipa-otpd Service: RUNNING
>>>
>>> ipa-dnskeysyncd Service: RUNNING
>>>
>>> ipa: INFO: The ipactl command was successful
>>>
>>> [root@sl1mmgplidm0002 ~]#
>>>
>>>
>>>
>>> [root@sl1mmgplidm0002 ~]# getcert list | grep -A 10 20170214143200
>>> Request ID '20170214143200':
>>>
>>> status: CA_UNREACHABLE
>>>
>>> ca-error: Error 60 connecting to
>>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__sl1mmgplidm0002
>>> -
>>> 3
>>>
A8443_ca_agent_ca_profileReview&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrpSyubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnOqUeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=EvNOXdLcm_vL9kIJfZltxwLVIojayf1wau_ByrzA_m0&e=
: Peer certificate cannot be authenticated with given CA certificates.
>>>
>>> stuck: no
>>>
>>> key pair storage:
>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer
>>> t cert-pki-ca',token='NSS Certificate DB',pin set
>>>
>>> certificate:
>>>
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cer
>>> t cert-pki-ca',token='NSS Certificate DB'
>>>
>>> CA: dogtag-ipa-renew-agent
>>>
>>> issuer: CN=Certificate Authority,O=IPA
>>>
>>> subject: CN=sl1mmgplidm0002,O=IPA
>>>
>>> expires: 2019-01-08 20:16:52 UTC
>>>
>>> key usage:
>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>
>>> [root@sl1mmgplidm0002 ~]#
>>>
>>>
>>>
>>> Tried running renew_ca_cert command and "getcert resubmit -i" with
no luck.
>>
>> Don't run ipa-cacert-manage renew. It renews only the root CA cert which
won't help.
>>
>> We need to see the full output of getcert list to see what status all the certs
are in.
>>
>> You might also try this:
>>
https://urldefense.proofpoint.com/v2/url?u=https-3A__rcritten.wordpre
>> s
>> s.com_2017_09_20_peer-2Dcertificate-2Dcannot-2Dbe-2Dauthenticated-2Dw
>> i
>> th-2Dgiven-2Dca-2Dcertificates_&d=DwIDAw&c=YQjZbjrpZrGDVqAPwjXLR6FCrp
>> S
>> yubErKtFCyGSfD8I&r=d-TYcZJsaxSN2fvTay_nSbRETC6Fq1LvfisROgToD30&m=vYnO
>> q
>> UeSIamQw5SC2J9Rs9eMlJ1Jd7WemUOfBlK_wz4&s=hu2FmrcSxYTX9VEY0j-d7kejsKMn
>> 3
>> 204Kkt_3BRIc80&e=
>>
>> rob
>>
>
> _______________________________________________
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://urldefense.proofpoint.com/v2/url?u=https-3A__docs.fedoraproject.o...
List Guidelines:
https://urldefense.proofpoint.com/v2/url?u=https-3A__fedoraproject.org_wi...
List Archives:
https://urldefense.proofpoint.com/v2/url?u=https-3A__lists.fedorahosted.o...