On 16.07.20 15:50, Florence Blanc-Renaud wrote: > On 7/16/20 3:00 PM, Lorenz Braun via FreeIPA-users wrote: >> I was thinking something similar. I tried >> ``` >> [root@ipa01 ~]# ipa-cacert-manage renew >> Renewing CA certificate, please wait >> Error resubmitting certmonger request '20200716071025', please check >> the request manually >> The ipa-cacert-manage command failed. >> ``` > > Hi, > this command is used to renew IPA CA certificate and not applicable to > the current situation. IPA CA has ~20 years validity and this cert is > unlikely to be expired. Good to know, thanks! >> ``` >> [root@ipa01 ~]# getcert list >> Number of certificates and requests being tracked: 9. >> [...] >> Request ID '20200716071025': >>          status: CA_UNREACHABLE > This is expected in your case as pki is down, and won't be able to > manage the certificate renewal request. > >>          ca-error: Internal error >>          stuck: no >>          key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB',pin set >>          certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >> cert-pki-ca',token='NSS Certificate DB' >>          CA: dogtag-ipa-ca-renew-agent >>          issuer: CN=Certificate Authority,O=EXAMPLE.COM >>          subject: CN=Certificate Authority,O=EXAMPLE.COM >>          expires: 2040-07-16 07:08:27 UTC >>          key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign >>          pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>          post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >> "caSigningCert cert-pki-ca" >>          track: yes >>          auto-renew: yes >> [...] >> ``` >> >> The other one are all MONITORING and expire at 2022. Since i tried to >> force a new cert maybe this is still okay and the problem lies >> somewhere else? > > Then the problem is different. Since the new certs will expire 2022 > (in 2 years), I suspect that they were renewed recently but the > renewal failed in the middle. > > You can refer to [1] in order to ensure that this is the root cause > and fix the current situation. > > HTH, > flo > > [1] > https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tom... > I have checked and the certificate from /etc/pki/pki-tomcat/alias and ldap are the exactly the same. I attached /var/log/pki/pki-tomcat/ca/debug. The error message there is different: ``` [16/Jul/2020:16:24:57][profileChangeMonitor]: SignedAuditLogger: event CLIENT_ACCESS_SESSION_ESTABLISH java.net.ConnectException: Connection refused (Connection refused)         at java.net.PlainSocketImpl.socketConnect(Native Method)         at java.net.AbstractPlainSocketImpl.doConnect(AbstractPlainSocketImpl.java:350)         at java.net.AbstractPlainSocketImpl.connectToAddress(AbstractPlainSocketImpl.java:206)         at java.net.AbstractPlainSocketImpl.connect(AbstractPlainSocketImpl.java:188)         at java.net.SocksSocketImpl.connect(SocksSocketImpl.java:392)         at java.net.Socket.connect(Socket.java:607)         at java.net.Socket.connect(Socket.java:556)         at java.net.Socket.<init>(Socket.java:452)         at java.net.Socket.<init>(Socket.java:262)         at com.netscape.cmscore.ldapconn.PKISocketFactory.makeSSLSocket(PKISocketFactory.java:120)         at com.netscape.cmscore.ldapconn.PKISocketFactory.makeSocket(PKISocketFactory.java:159)         at netscape.ldap.LDAPConnSetupMgr.connectServer(Unknown Source)         at netscape.ldap.LDAPConnSetupMgr.openSerial(Unknown Source)         at netscape.ldap.LDAPConnSetupMgr.connect(Unknown Source)         at netscape.ldap.LDAPConnSetupMgr.openConnection(Unknown Source)         at netscape.ldap.LDAPConnThread.connect(Unknown Source)         at netscape.ldap.LDAPConnection.connect(Unknown Source)         at netscape.ldap.LDAPConnection.connect(Unknown Source)         at netscape.ldap.LDAPConnection.connect(Unknown Source)         at com.netscape.cmscore.ldapconn.LdapBoundConnection.<init>(LdapBoundConnection.java:82)         at com.netscape.cmscore.ldapconn.LdapBoundConnFactory$BoundConnection.<init>(LdapBoundConnFactory.java:531)         at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.makeConnection(LdapBoundConnFactory.java:187)         at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:332)         at com.netscape.cmscore.ldapconn.LdapBoundConnFactory.getConn(LdapBoundConnFactory.java:295)         at com.netscape.cmscore.profile.LDAPProfileSubsystem.run(LDAPProfileSubsystem.java:426)         at java.lang.Thread.run(Thread.java:748) [...] [16/Jul/2020:16:24:57][profileChangeMonitor]: Can't create master connection in LdapBoundConnFactory::getConn! Could not connect to LDAP server host ipa01.example.com port 636 Error netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) [16/Jul/2020:16:24:57][authorityMonitor]: Can't create master connection in LdapBoundConnFactory::getConn! Could not connect to LDAP server host ipa01.example.com port 636 Error netscape.ldap.LDAPException: Unable to create socket: java.net.ConnectException: Connection refused (Connection refused) (-1) ``` Firewall is not restricting this and i am a bit puzzled on why the connection fails. If the service is not running or the port not open ldapsearch should also not work, right? I might test a fresh ipa install without restoring any data. Maybe something with my OS or network is wrong.

Best Regards Lorenz