On 3/5/19 8:44 AM, Sina Owolabi via FreeIPA-users wrote:
Hi!
I tried to follow this solution for cert renewal for RHEL6:
https://access.redhat.com/solutions/643753 (Sorry, desperation is
setting in), but when I attempted Step 2, I got:
Hi,
1. this note was written for RHEL 6 but you said in your first e-mail
that your server is running CentOS 7 with ipa 4.5.4. Please don't follow
those instructions as they are not adapted to your deployment.
The instructions for RHEL 7 are available at
https://access.redhat.com/solutions/3357261.
2. In a previous e-mail, the output of getcert list | grep -i expires
did not show any expired certificates, so I would not rush into wrong
conclusions. We need to understand first why pki did not start.
What is the output of:
$ ipactl status
$ systemctl status pki-tomcatd(a)pki-tomcat.service
flo
# for nickname in "auditSigningCert cert-pki-ca"
"ocspSigningCert
cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert
cert-pki-ca"; do
echo $nickname; certutil -L -d /var/lib/pki-ca/alias -n "${nickname}"
| grep -i after; done
auditSigningCert cert-pki-ca
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
ocspSigningCert cert-pki-ca
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
subsystemCert cert-pki-ca
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
Server-Cert cert-pki-ca
certutil: function failed: SEC_ERROR_LEGACY_DATABASE: The
certificate/key database is in an old, unsupported format.
Could this be the root of my problems?
And how can I convert them?
On Mon, Mar 4, 2019 at 9:08 PM Sina Owolabi <notify.sina(a)gmail.com> wrote:
>
> Restarting ipa didnt create the logs.
> Please, what else can i do?
>
> On Mon, Mar 4, 2019 at 8:47 PM Sina Owolabi <notify.sina(a)gmail.com> wrote:
>>
>> Hi!
>>
>> getcert list | grep -i expires
>> expires: 2019-04-13 12:08:20 UTC
>> expires: 2019-04-13 12:08:06 UTC
>> expires: 2019-04-13 12:07:50 UTC
>> expires: 2035-06-01 08:33:01 UTC
>> expires: 2019-04-13 12:07:41 UTC
>> expires: 2019-04-13 12:06:55 UTC
>> expires: 2019-05-05 12:06:41 UTC
>> expires: 2019-05-05 12:06:56 UTC
>> expires: 2020-01-17 19:56:03 UTC
>>
>> I didnt find a /var/log/pki/pki-tomcat/ca/debug directory, but I am
>> creating one and running "ipactl restart".
>>
>> On Mon, Mar 4, 2019 at 8:10 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
>>>
>>> Sina Owolabi via FreeIPA-users wrote:
>>>> Hi!
>>>>
>>>> I am running a small IPA domain (CentOS 7 servers, ipa version 4.5.4,
>>>> api version 2.228), with one master, and two replicas, and I noticed
>>>> that pki-tomcatd no longer works on the master, after attempting a
>>>> reboot.
>>>> pki-tomcatd works fine on the slaves.
>>>> I noticed if I try to run IPA functions (dns record removal, hosts
>>>> management, user passwords, etc), I receive responses like this:
>>>>
>>>> ipa: ERROR: Certificate operation cannot be completed: Unable to
>>>> communicate with CMS (Internal Server Error)
>>>> But on the replicas, functions work fine.
>>>> Please can someone guide me on how to fix this?
>>>
>>> The CA log is in /var/log/pki/pki-tomcat/ca/debug. That may have some
>>> pointers. I'd look at selftests.log first.
>>>
>>> My guess is that some of the CA certificates have failed to renew.
>>>
>>> getcert list | grep -i expires
>>>
>>> rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...