Thank you for the reply!
> Did you build this yourself? What is the history of this installation?
> Were there other servers at some point?
No, it's just from Ubuntu's repositories. It's about two years old and
there's nothing of particular note; it was a straight-forward install,
no unusual functions. Never had another server connected to it—always
planned one but it's waiting on priority and budget.
> Check the Apache error log
Thank you, that was helpful—kind of forget it's even part of the
install. Appears there is a PyAsn1 Error? Maybe a Python2.7 vs. 3.6 thing?
[Fri Oct 09 00:00:25.453485 2020] [wsgi:error] [pid 7034] [remote
10.1.5.4:59838] ipa: INFO: [xmlserver] host/ipa01.my.domain(a)MY.REALM:
cert_request(u'MIIDvTCCAqUCAQAwNDEVMBMGA1UEChMMU0lNUExZV1MuQ09NMRswGQYDVQQDExJpcGEwMS5zaW1wbHl3cy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCxh0AiaCsveX7JROzezR4lk6Nk2KmsmQ+s3yrOzjVzVqNWCk5w3Y4vVjefTvdZpHTwKDO8hD++wvEyavYe1eYDESX4Py7UfNtOQsuMHnbUAHDLyTZyVzDt5r2abUHmhgYlgHfrrrNYFnfgk951PQrLcPd+07neJQjulPtH0BSjCH05Y8Ss3UkTPvSBfBTfFWsUVKl6tOuMbbNDoFo9bAzwH3qzSTb0c5B1SYC2vx6A7fBEqrKIFI10eOKZjzzWI65V9zjhAz3ShKDh+RVKl7R5ulRnU1wgetX1+LC8BGu9bR4A1uza12ZK8PrPmKQjL7tYF385ht4lLG0IjI5DMSf/AgMBAAGgggFCMCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBFwYJKoZIhvcNAQkOMYIBCDCCAQQwgZ0GA1UdEQEBAASBkjCBj4ISaXBhMDEuc2ltcGx5d3MuY29toDQGCisGAQQBgjcUAgOgJgwkbGRhcC9pcGEwMS5zaW1wbHl3cy5jb21AU0lNUExZV1MuQ09NoEMGBisGAQUCAqA5MDegDhsMU0lNUExZV1MuQ09NoSUwI6ADAgEBoRwwGhsEbGRhcBsSaXBhMDEuc2ltcGx5d3MuY29tMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFB0fN/R8MTxO1C1eb/Rgic+H6mFgMDIGCSsGAQQBgjcUAgEBAAQiHiAAYwBhAEkAUABBAHMAZQByAHYAaQBjAGUAQwBlAHIAdDANBgkqhkiG9w0BAQsFAAOCAQEAYhcKonl8W3qFdTnWfvG1ZdjeI3LWPF8DdjhZ3RuOtvukWIvhxNawoRrTBk7mnbrjaFQK48FvsqW19fo1h5746G3q3TqTimgPpplRkK7G2E3+JVtt8g5zLAXdiXnwwejcgH4Q6Y+Xr3XKJoGMjQCL34TLO+mNE6zaAj03KzFbd5oOTiqRXvSSP/dhQj5yY6yIu94+ri6jKnKUpWjqo0EUkhPHtMqm9hAPwJQ99Ns5lLNGOX4TPmiP9bBSZW+pginZ4w8wyylc00+8QzPnbe9T+JJOjU/bfUytmsHbDEcpJ4xFIzZcuqBBfLWRDDfBFG4Ajk24uvNfuZhlW8NK07LsEA==',
profile_id=u'caIPAserviceCert',
principal=u'ldap/ipa01.my.domain(a)MY.REALM', add=True, version=u'2.51'):
InternalError
[Fri Oct 09 00:00:35.402170 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] ipa: ERROR: non-public: PyAsn1Error: <TagSet object at
0x7f378035fd10 tags 0:32:16> not in asn1Spec: <OctetString schema object
at 0x7f377b8f99d0 tagSet <TagSet object at 0x7f379ae94290 tags 0:0:4>
encoding iso-8859-1>
[Fri Oct 09 00:00:35.402274 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] Traceback (most recent call last):
[Fri Oct 09 00:00:35.402288 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipaserver/rpcserver.py", line 367, in
wsgi_execute
[Fri Oct 09 00:00:35.402299 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] result = command(*args, **options)
[Fri Oct 09 00:00:35.402309 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 450, in __call__
[Fri Oct 09 00:00:35.402320 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] return self.__do_call(*args, **options)
[Fri Oct 09 00:00:35.402330 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 478, in
__do_call
[Fri Oct 09 00:00:35.402341 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] ret = self.run(*args, **options)
[Fri Oct 09 00:00:35.402351 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipalib/frontend.py", line 800, in run
[Fri Oct 09 00:00:35.402361 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] return self.execute(*args, **options)
[Fri Oct 09 00:00:35.402371 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 884,
in execute
[Fri Oct 09 00:00:35.402382 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] self.obj._parse(result, all)
[Fri Oct 09 00:00:35.402392 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipaserver/plugins/cert.py", line 493,
in _parse
[Fri Oct 09 00:00:35.402402 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] cert.san_general_names)
[Fri Oct 09 00:00:35.402412 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 318, in
san_general_names
[Fri Oct 09 00:00:35.402451 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] gns = self.__pyasn1_get_san_general_names()
[Fri Oct 09 00:00:35.402462 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/ipalib/x509.py", line 350, in
__pyasn1_get_san_general_names
[Fri Oct 09 00:00:35.402473 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] ext['extnValue'], asn1Spec=univ.OctetString())[0]
[Fri Oct 09 00:00:35.402483 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] File
"/usr/lib/python2.7/dist-packages/pyasn1/codec/ber/decoder.py", line
1318, in __call__
[Fri Oct 09 00:00:35.402494 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] '%s not in asn1Spec: %r' % (tagSet, asn1Spec)
[Fri Oct 09 00:00:35.402505 2020] [wsgi:error] [pid 7033] [remote
10.1.5.4:59876] PyAsn1Error: <TagSet object at 0x7f378035fd10 tags
0:32:16> not in asn1Spec: <OctetString schema object at 0x7f377b8f99d0
tagSet <TagSet object at 0x7f379ae94290 tags 0:0:4> encoding iso-8859-1>
What version of python-pyasn1 and pyasn1-modules is installed? You might
try upgrading/downgrading them to see if that helps.
rob
> This suggests the tracking is really messed up. Can you provide the
> output of getcert list?
Below.
>> Possibly ipa-cert-fix or pki-server cert-fix would take care of it, but they
aren't in this version and I'm reluctant to upgrade the distro without proper
preparation.
> It wouldn't fix the 389 or Apache certs.
Thanks—glad I didn't go through that then!
>
>> Everything starts without any problems. With the date set, everything is
functioning like normal as far as I can tell.
>>
>> I have rolled back the date successfully making sure to respect the
'notbefore' on ra-agent.pem
> Does this suggest that the RA agent cert was renewed at some point?
Yeah, I suppose it must have been successfully renewed by certmonger...
I didn't think too hard about it since it wasn't expired:
Owner: CN=IPA RA, O=MY.REALM
Issuer: CN=Certificate Authority, O=MY.REALM
Serial number: 11
Valid from: Sat Sep 12 02:33:38 MDT 2020 until: Fri Sep 02 02:33:38 MDT 2022
Certificate fingerprints:
SHA1: A8:32:C6:B4:C1:BF:C8:54:6B:35:F6:C7:DF:68:FB:47:73:C7:B4:2C
SHA256:
5F:E8:77:BA:72:E4:64:56:E7:23:54:32:56:0D:66:7A:03:04:0F:04:7C:CE:E6:25:44:4A:15:B1:06:81:05:4A
Signature algorithm name: SHA256withRSA
Subject Public Key Algorithm: 2048-bit RSA key
Version: 3
-----------
Number of certificates and requests being tracked: 9.
Request ID '20181021083324':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=IPA RA,O=MY.REALM
expires: 2022-09-02 02:33:38 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20181021083404':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=localhost
expires: 2022-09-05 12:15:19 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083405':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=localhost
expires: 2020-10-13 12:14:21 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083406':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=localhost
expires: 2020-10-13 12:15:01 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083407':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=localhost
expires: 2020-10-10 02:34:28 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083408':
status: NEED_CSR_GEN_TOKEN
stuck: yes
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=localhost
expires: 2020-10-13 12:14:29 MDT
key usage: digitalSignature,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert
"Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20181021083613':
status: CA_UNREACHABLE
ca-error: Server at
https://ipa01.my.domain/ipa/xml failed
request, will retry: 903 (RPC failed at server. an internal error has
occurred).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MY-REALM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MY-REALM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=ipa01.my.domain,O=MY.REALM
expires: 2020-10-21 02:36:13 MDT
dns: ipa01.my.domain
principal name: ldap/ipa01.my.domain(a)MY.REALM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv MY-REALM
track: yes
auto-renew: yes
Request ID '20181021083714':
status: NEED_CSR_GEN_PIN
stuck: yes
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/ipa01.my.domain-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=ipa01.my.domain,O=MY.REALM
expires: 2020-10-21 02:37:17 MDT
dns: ipa01.my.domain
principal name: HTTP/ipa01.my.domain(a)MY.REALM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20181021083724':
status: CA_UNREACHABLE
ca-error: Server at
https://ipa01.my.domain/ipa/xml failed
request, will retry: 903 (RPC failed at server. an internal error has
occurred).
stuck: no
key pair storage: type=FILE,location='/var/lib/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/lib/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=MY.REALM
subject: CN=ipa01.my.domain,O=MY.REALM
expires: 2020-10-21 02:37:25 MDT
principal name: krbtgt/MY.REALM(a)MY.REALM
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
pre-save command:
post-save command: /usr/lib/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...