Serge Krawczenko via FreeIPA-users wrote:
Grateful for your response, Rob
On Tue, May 17, 2022 at 9:41 PM Rob Crittenden <rcritten(a)redhat.com
<mailto:rcritten@redhat.com>> wrote:
> sh-4.2# ipa --version
> VERSION: 4.6.8, API_VERSION: 2.237
>
> ipa-cert-fix fails with The ipa-cert-fix command failed, exception:
> RuntimeError: Failed to get Server-Cert
> Indeed, it doesn't present in /etc/httpd/alias though still it
presents
> in /etc/pki/pki-tomcat/alias
How did you confirm this, using certutil? I assume the httpd process
won't start?
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
httpd process started, but i didn't mention (sorry) i have letsencrypt
certs for httpd installed via ipa-server-certinstall
could this be the reason why the internal certs were not updated?
Here's all i have in /etc/httpd/alias
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
<mydomain> IPA CA CT,C,C
CN=R3,O=Let's Encrypt,C=US C,,
<mydomain> IPA CA CT,C,C
CN=ISRG Root X1,O=Internet Security Research Group,C=US C,,
<mydomain> IPA CA CT,C,C
CN=<mydomain> u,u,u (letsencrypt
for my domain)
Yes, using certutil i can see the absence of Server-Cert in /etc/httpd/alias
Also for some reason when trying to
getcert list -d /etc/httpd/alias
I'm only getting this without detailed list
Number of certificates and requests being tracked: 8.
This is because you aren't tracking a non-existent cert. It's expected.
You're running into issue
https://pagure.io/freeipa/issue/8600 which was
fixed in 4.9+ so you don't have it. You'll need to work around it in the
ipa_cert_fix.py code.
While on
getcert list -d /etc/pki/pki-tomcat/alias
outputs all the certificates and status
Is the key there:
certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
I have key and i have "Server-Cert cert-pki-ca" in /etc/pki/pki-tomcat/alias
I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat
alias and imported into
/etc/httpd/alias using p12util
I wouldn't recommend doing that. Two different certs for two different
purposes. It probably retained the nickname include cert-pki-ca.
Still, ipa-cert-fix is unable to find it:
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias
-L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 100, in run
certs, extra_certs = expired_certs(now)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 142, in expired_certs
return expired_dogtag_certs(now), expired_ipa_certs(now)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
line 191, in expired_ipa_certs
cert = db.get_cert('Server-Cert')
File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744,
in get_cert
raise RuntimeError("Failed to get %s" % nickname)
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
RuntimeError: Failed to get Server-Cert
ipapython.admintool: ERROR: Failed to get Server-Cert
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
Is there certmonger tracking for it?
getcert list -d /etc/httpd/alias
If there is then you can get a copy of the certificate from
/var/lib/certmonger/requests and try re-installing it with certutil.
Though later you say you can start everything with a date in the past so
this is confusing.
certmonger service is running attempts to renew certificates permanently
but fails
i can see requests for valid ID's in /var/lib/certmonger/requests but
they still not processed (probably my attempts to resubmit manually)
> I went through the suggested document and nothing seems to work.
>
> Manual renew via ipa-getcert resubmit also fails with different errors
> such as
> status: MONITORING
> ca-error: Server at
"https://hostname:8443/ca/agent/ca/profileProcess"
> replied: 1: Request 9980034 Not Found
On which certificate?
Request ID '20171204131516':
status: MONITORING
ca-error: Server at "https://myhostname:8443/ca/agent/ca/profileProcess"
replied: 1: Request 9980034 Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent-selfsigned
expires: 2041-12-28 08:53:41 UTC
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
"caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
And there's no errors for others in /etc/pki/pki-tomcat/alias
You'll need to manually make a change in
/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to not renew by
serial.
You'll find this section of code around line 200:
args = ([paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT,
"--cafile", paths.IPA_CA_CRT,
"--certfile", paths.RA_AGENT_PEM,
"--keyfile", paths.RA_AGENT_KEY] +
sys.argv[1:] +
['--submit-option', "requestor_name=IPA"])
add:
args += ['-N']
I'd recommend making this change first, then modify ipa-cert-fix to not
check for the Apache Server-Cert and that may do it.
rob
> status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm ...
This can happen if all of IPA is not running. certmonger uses the host
keytab to authentication to the IPA API.
ok we ignore this for now.
The certificates which were not renewed are:
"ocspSigningCert cert-pki-ca"
"subsystemCert cert-pki-ca"
"Server-Cert cert-pki-ca"
What else should i try?
rob
Great thanks
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure