On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote:
Hi Flo,
thanks for your feedback. I appreciate it a lot!
On 16.07.20 14:32, Florence Blanc-Renaud wrote:
> Hi,
> this type of failure can happen when the certificates expire. You can
> check if that's the case using "getcert list" and look at the
> "status:" values that should be MONITORING and the "expires:"
date.
>
> Although the manual repair procedure can be quite long, it's possible
> to fix this type of issue. See [1] for instructions.
I was thinking something similar. I tried
```
[root@ipa01 ~]# ipa-cacert-manage renew
Renewing CA certificate, please wait
Error resubmitting certmonger request '20200716071025', please check the
request manually
The ipa-cacert-manage command failed.
```
Hi,
this command is used to renew IPA CA certificate and not applicable to
the current situation. IPA CA has ~20 years validity and this cert is
unlikely to be expired.
```
[root@ipa01 ~]# getcert list
Number of certificates and requests being tracked: 9.
[...]
Request ID '20200716071025':
status: CA_UNREACHABLE
This is expected in your case as pki is down, and
won't be able to
manage the certificate renewal request.
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate
Authority,O=EXAMPLE.COM
subject: CN=Certificate
Authority,O=EXAMPLE.COM
expires: 2040-07-16 07:08:27 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
[...]
```
The other one are all MONITORING and expire at 2022. Since i tried to
force a new cert maybe this is still okay and the problem lies somewhere
else?
Then the problem is different. Since the new certs will expire 2022 (in
2 years), I suspect that they were renewed recently but the renewal
failed in the middle.
You can refer to [1] in order to ensure that this is the root cause and
fix the current situation.
HTH,
flo
[1]
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom...
Unfortunately i can't access [1] since we do not have a
subscription. I
am considering getting one, however its not my decision alone.
>> Some Clients could sometimes not get kerberos tickets. I couldn't
>> quite figure out why.
>>
>> I used 'ipa-backup --data' in hopes of restoring it on a fresh OS
>> with everything working again. Had to upgrade to IPA 4.6.6. It worked
>> with
> Can you provide the exact steps that you ran? Performing a data-only
> backup does not save the configuration files and I would like to check
> how the new server was setup.
Sure. Backup was done with `ipa-backup --data --online`
The new server was a fresh CentOS install. Here the steps i did:
```
yum update -y
# reboot
yum install ipa-server -y
ipa-server-install \
--ds-password {{ipa_dm_pw}} \
--admin-password {{ipa_admin_pw}} \
--realm {{ceg_realm}} \
--hostname {{inventory_hostname}}.{{ceg_domain}} \
--domain {{ceg_domain}} \
--mkhomedir \
--unattended
ipa-restore --data --backend=userRoot
systemctl stop sssd
find /var/lib/sss/ ! -type d | xargs rm -f
systemctl start sssd
# reboot
```
I should mention that the `ipa ...` commands do not work on the server a
have also tried on of the clients (unmodified) but it does not accept
the SSL cert (probably because it is different now).
Best Regards
Lorenz
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...