On Mon, Jan 08, 2018 at 10:15:29PM +0100, Giulio Casella via FreeIPA-users wrote:
After some time, requests go "CA_UNREACHABLE", caused by
"RPC failed at
server. Request failed with status 500: Non-2xx response from CA REST API:
500." when certmonger tries to renew httpd/dirsrv certificate.
Any ideas to correctly debug this issue?
Here are some things to check:
What is the validity of /var/lib/ipa/ra-agent.pem at the time you
set the clock back to? Is it possible that you have gone earlier
than its `notBefore' time?
Is that certificate in sync with the userCertificate attribute of
the `uid=ipara,ou=people,o=ipaca' LDAP entry?
What does the /var/log/pki/pki-tomcat/ca/debug log contain?
Cheers,
Fraser
>
>
> Il 08/01/2018 17:56, Giulio Casella via FreeIPA-users ha scritto:
> >
> >
> > Il 08/01/2018 17:26, Rob Crittenden ha scritto:
> > > Giulio Casella via FreeIPA-users wrote:
> > >
> > > You need to stop ntpd, use date to go back when the web server cert is
> > > still valid, then restart certmonger. That generally will do it.
> >
> > Hi Rob,
> > I already tried with date few hours before expiration, with no luck:
> > certmonger cannot perform cert update.
> >
> > Queued requests remain in "SUBMITTING" status, I tried to launch
> > certmonger in foreground (-d 10), here's a snippet of the output:
> >
> > 2018-01-08 01:17:08 [6000] Request9('20171205091409') ends in state
> > 'HAVE_CSR'
> > 2018-01-08 01:17:08 [6000] Stopped Request9('20171205091409').
> > 2018-01-08 01:17:09 [6235] Read value "0" from
> > "/proc/sys/crypto/fips_enabled".
> > 2018-01-08 01:17:09 [6235] Not attempting to set NSS FIPS mode.
> > 2018-01-08 01:17:09 [6235] Skipping NSS internal slot (NSS Generic
> > Crypto Services).
> > 2018-01-08 01:17:09 [6235] Found token 'NSS Certificate DB'.
> > 2018-01-08 01:17:09 [6235] Located a certificate with the key's nickname
> > ("Server-Cert").
> > 2018-01-08 01:17:09 [6235] Located its private key.
> > 2018-01-08 01:17:09 [6235] Recovered public key from private key.
> > 2018-01-08 01:17:09 [6235] Key is an RSA key.
> > 2018-01-08 01:17:09 [6235] Key size is 2048.
> > 2018-01-08 01:17:10 [6251] Read value "0" from
> > "/proc/sys/crypto/fips_enabled".
> > 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode.
> > 2018-01-08 01:17:10 [6251] Found token 'NSS Generic Crypto Services'.
> > 2018-01-08 01:17:10 [6251] Token is named "NSS Generic Crypto
Services",
> > not "NSS Certificate DB", skipping.
> > 2018-01-08 01:17:10 [6251] Found token 'NSS Certificate DB'.
> > 2018-01-08 01:17:10 [6251] Located the certificate "Server-Cert".
> > 2018-01-08 01:17:10 [6251] Read value "0" from
> > "/proc/sys/crypto/fips_enabled".
> > 2018-01-08 01:17:10 [6251] Not attempting to set NSS FIPS mode.
> > 2018-01-08 01:17:10 [6000] Request9('20171205091409') starts in state
> > 'HAVE_KEYINFO'
> > 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state
> > 'NEED_CSR'
> > 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') now.
> > 2018-01-08 01:17:10 [6000] Started Request9('20171205091409').
> > 2018-01-08 01:17:10 [6000] Queuing FD 7 for Read for
> > 0x561b59c82750:0x561b59c98940.
> > 2018-01-08 01:17:10 [6000] Request9('20171205091409') moved to state
> > 'GENERATING_CSR'
> > 2018-01-08 01:17:10 [6000] Will revisit Request9('20171205091409') on
> > traffic from 27.
> > 2018-01-08 01:17:11 [6263] Read value "0" from
> > "/proc/sys/crypto/fips_enabled".
> > 2018-01-08 01:17:11 [6263] Not attempting to set NSS FIPS mode.
> > 2018-01-08 01:17:11 [6263] Skipping NSS internal slot (NSS Generic
> > Crypto Services).
> > 2018-01-08 01:17:11 [6263] Found token 'NSS Certificate DB'.
> > 2018-01-08 01:17:11 [6263] Located a certificate with the key's nickname
> > ("Server-Cert").
> > 2018-01-08 01:17:11 [6263] Located its private key.
> > 2018-01-08 01:17:11 [6263] Recovered public key from private key.
> > 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state
> > 'HAVE_CSR'
> > 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now.
> > 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state
> > 'NEED_TO_SUBMIT'
> > 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') now.
> > 2018-01-08 01:17:11 [6000] Request9('20171205091409') moved to state
> > 'SUBMITTING'
> > 2018-01-08 01:17:11 [6000] Will revisit Request9('20171205091409') on
> > traffic from 31.
> > ^C2018-01-08 01:17:14 [6000] Got signal 2.
> > 2018-01-08 01:17:14 [6000] Shutting down.
> >
> > I'm stuck...
> >
> > Thank you for your time.
> >
> > >
> > > rob
> > >
> > > >
> > > > Is there a way to force update?
> > > >
> > > > Here's my output of "getcert list":
> > > >
> > > >
> > > > Number of certificates and requests being tracked: 9.
> > > > Request ID '20170915095009':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > > type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
> > > > certificate:
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
> > > > CA: SelfSign
> > > > issuer:
> > > > CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject:
> > > > CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2018-09-15 09:50:10 UTC
> > > > principal name:
> > > > krbtgt/LINUX.UNICLOUDIDATTICA.LOCAL(a)LINUX.UNICLOUDIDATTICA.LOCAL
> > > > certificate template/profile: KDCs_PKINIT_Certs
> > > > pre-save command:
> > > > post-save command:
/usr/libexec/ipa/certmonger/renew_kdc_cert
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091347':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> > > >
> > > > cert-pki-ca',token='NSS Certificate DB',pin set
> > > > certificate:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
> > > >
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject: CN=CA Audit,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2019-11-21 07:19:44 UTC
> > > > key usage: digitalSignature,nonRepudiation
> > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > > > "auditSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091349':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS
> > > > Certificate DB',pin set
> > > > certificate:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
> > > > cert-pki-ca',token='NSS
> > > > Certificate DB'
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject: CN=OCSP Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2019-11-21 07:18:07 UTC
> > > > eku: id-kp-OCSPSigning
> > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > > > "ocspSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091350':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate DB',pin set
> > > > certificate:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject: CN=CA Subsystem,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2019-11-21 07:19:43 UTC
> > > > key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > > > "subsystemCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091351':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB',pin set
> > > > certificate:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject: CN=Certificate
> > > > Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2038-01-08 00:16:58 UTC
> > > > key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign
> > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > > > "caSigningCert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091352':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > > type=FILE,location='/var/lib/ipa/ra-agent.key'
> > > > certificate:
type=FILE,location='/var/lib/ipa/ra-agent.pem'
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject: CN=IPA RA,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2019-11-21 07:18:14 UTC
> > > > key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert_pre
> > > > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091353':
> > > > status: MONITORING
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate DB',pin set
> > > > certificate:
> > > >
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
> > > > cert-pki-ca',token='NSS Certificate DB'
> > > > CA: dogtag-ipa-ca-renew-agent
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject:
> > > > CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2019-11-20 10:02:31 UTC
> > > > key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> > > > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> > > > "Server-Cert cert-pki-ca"
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091357':
> > > > status: CA_UNREACHABLE
> > > > ca-error: Server at
> > > >
https://idc01.linux.unicloudidattica.local/ipa/xml failed request,
will
> > > > retry: -504 (libcurl failed to execute the HTTP POST transaction,
> > > > explaining: Peer's Certificate has expired.).
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
> > > >
> > > > Certificate
> > > >
DB',pinfile='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL/pwdfile.txt'
> > > > certificate:
> > > >
type=NSSDB,location='/etc/dirsrv/slapd-LINUX-UNICLOUDIDATTICA-LOCAL',nickname='Server-Cert',token='NSS
> > > >
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject:
> > > > CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2018-01-08 08:24:22 UTC
> > > > key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv
> > > > LINUX-UNICLOUDIDATTICA-LOCAL
> > > > track: yes
> > > > auto-renew: yes
> > > > Request ID '20171205091409':
> > > > status: CA_UNREACHABLE
> > > > ca-error: Server at
> > > >
https://idc01.linux.unicloudidattica.local/ipa/xml failed request,
will
> > > > retry: -504 (libcurl failed to execute the HTTP POST transaction,
> > > > explaining: Peer's Certificate has expired.).
> > > > stuck: no
> > > > key pair storage:
> > > >
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> > > > certificate:
> > > >
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> > > > Certificate DB'
> > > > CA: IPA
> > > > issuer: CN=Certificate
Authority,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > subject:
> > > > CN=idc01.linux.unicloudidattica.local,O=LINUX.UNICLOUDIDATTICA.LOCAL
> > > > expires: 2018-01-08 08:33:05 UTC
> > > > key usage:
> > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> > > > eku: id-kp-serverAuth,id-kp-clientAuth
> > > > pre-save command:
> > > > post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> > > > track: yes
> > > > auto-renew: yes
> > > >
> > > >
> > > > Thanks in advance,
> > > > Giulio
> > > > _______________________________________________
> > > > FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> > > > To unsubscribe send an email to
> > > > freeipa-users-leave(a)lists.fedorahosted.org
> > >
> >
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org