Does the outdated certificate show in 'ipa getcert-list'?
What certificate is the replica failing to replicate exactly?
Also it's possible that you will need to travel back in time (stopping
chronyd service and then changing the time to when the certificate was
still valid) and update it then.
On Thu, Jan 26, 2023 at 11:20 AM MM MM via FreeIPA-users
<freeipa-users(a)lists.fedorahosted.org> wrote:
Hi,
we have two IPA-Servers (primary and replica) in the same network. Both are running on
CentOS7, on 1th January we had the problem that suddenly the authentication didn’t work
anymore.
During troubleshooting we noticed that the Subsystem CA’s were expired since nearly two
years. I don’t know why the error didn’t occurre earlier. At this point we could fix the
primary server with the command „ipa-cert-fix“, but the replica couldn’t be included to
the FreeIPA anymore. So we decided to install a fresh system - CentOS 7, same IPA
version, same IP, same hostname. We could bind the new system without any problems to the
exisiting primary server, but when we tried to install the replica service, we got the
following error:
"
RuntimeError: CA configuration failed.
2023-01-26T07:48:34Z DEBUG [error] RuntimeError: CA configuration failed.
2023-01-26T07:48:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca
"
In the pki-tomcatd debug log it’s a bit more detailed:
"
2023-01-26 08:48:32 [main] SEVERE: LogFile: Attempt to log message
"/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main
- [26/Jan/2023:08:48:32 CET] [14] [6]
[AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.150.116.54][ServerHost=10.150.116.54][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent:
CLOSE_NOTIFY] access session terminated when Certificate System acts as client
2023-01-26 08:48:32 [main] SEVERE: Exception sending context initialized event to
listener instance of class [org.dogtagpki.server.ca.CAEngine]
java.lang.RuntimeException: Unable to start CA engine: Selftest failed: Invalid
certificate ocspSigningCert cert-pki-ca: NotAfter: Sun Mar 07 15:49:58 CET 2021
2023-01-26 08:48:32 [main] INFO: Shutting down CA subsystem
"
As you can see the CA-replication couldn’t be started, as there are expired subsystem
CA’s on the primary system which are expired.
First we tried to remove the expired subsystem ca certficates from the ldap tree with
ldapdelete -x -D "cn=directory manager" -W
"cn=44,ou=ca,ou=requests,o=ipaca"
and
ldapdelete -x -D "cn=directory manager" -W
"cn=44,ou=certificateRepository,ou=ca,o=ipaca"
as there are newely generated subsystem ca certificates already, but the „ipa-cert-fix“
still reported that these certificates still are expired. This had the effect that the
pki-tomcatd didn’t start anymore.
As next we also remove the expired certficates from pki-tomcat with
/usr/bin/certutil -d sql:/etc/pki/pki-tomcat/alias -D -n 'ocspSigningCert
cert-pki-ca' -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt
At this point the IPA service starts without any problems and the „ipa-cert-fix“ doesn’t
show any expired certificates anymore, but when we tried to initialize the replica it
still tries to repllicate the old expired certificates ending in an http 404 error.
Now we’ve reached a point where we just don’t have any more ideas.
I hope somebody has an idea and can help.
If you need some more informations and/or logs, we can deliver them at any time!
Thanks in advance!
Best regards
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue