I have IPA setup long back. Some of the certificates expired. So i went back in time and then it's working super smooth. When i did ipa-cert-fix --> error is Server-Cert not found I renewed kerberos kdc.key kdc.crt.
But still it's failing to start the kpi_tomcatd. When i check status of kpi-tomcatd@kpi-tomcatd it shows running, but service starts to fail when i come back to current time and restart ipactl restart.
need urgent help please
I cannot identify which certificate is expired exactly which is stopping pki-tomcatd to start
girish f via FreeIPA-users wrote:
I cannot identify which certificate is expired exactly which is stopping pki-tomcatd to start
You need to provide information on what is going on.
getcert list will show the list of certificates that certmonger is tracking including the expiration date.
rob
Hi Rob,
As this is with customer, and I have very restricted access, Can you convey your most available time as per your Time zone. So that within that timeframe I can reply you more quicker.
girish f via FreeIPA-users wrote:
Hi Rob,
As this is with customer, and I have very restricted access, Can you convey your most available time as per your Time zone. So that within that timeframe I can reply you more quicker.
I'm not the only one around here.
That the CA works in the past and not the present still suggests an expired cert issue. The CA debug log is your best place to start looking. Begin looking for errors when the CA starts and work down. The CA tends to charge forward past errors so working backwards is usually not useful. You can also look at the selftest log to see if there is a failure there.
rob
Hi Rob,
I see 4 certificate are expired.
1. ra-agent.pem 2. kdc.pem 3. ocsp-singing cert 4. subSystem cert 5.ca signing cert
of certificates and requests being tracked: 9. est ID 20200416082225': status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SS connect error. stuck: no key pair storage: type-FILE, location=' /var/lib/ipa/ra-agent.key' certificate: type-FILE, location=' /var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=IPA RA, 0-ipa360. ORG expires: 2024-02-25 18:27:39 UTC key usage: digitalsignature, keyEncipherment, dataEncipherment eku: id-kp-serverAuth, id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usI/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID 20200416082243': status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type-NSSDB, location=' /etc/pki/pki-tomcat/alias', nickname='auditSigningCert cert-pki-ca', token-'OSS Certificate DB', pin s certificate: type=NSSDB, location='/etc/pki/pki-toncat/alias',nickname='auditSigningCert cert-pki-ca', token= 'NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=CA Audit, 0-ipa360. ORG expires: 2024-02-25 18:27:49 UTC key usage: digitalSignature, nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad I post-save command: /us/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track:yes auto-renew: yes Request ID 20200416082244*: status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SSI connect error. stuck: no key pair storage: type-NSSDB, location='/etc/pki/pki-tomcat/alias', nickname-'ocspsigningCert cert-pki-ca', token= 'NSS Certificate DB', pin set certificate: type-NSSDB, location»'/etc/pki/pki-tomcat/alias', nickname='ocspsigningert cert-pki-ca', token= 'NSS Certificate DB" CA: dogtag-ipa-ca-renew-agent issuer: CN-Certificate Authority, 0-ipa360. ORG subject: CN-OCSP Subsystem, 0-ipa360. ORG expires: 2024-02-25 18:27:19 UTC eku: id-kp-ocspsigning pre-save command: /us/Libexec/ipa/certmonger/stop_pkicad post-save command: /usT/libexec/jpa/certmonger/renew_ca_cert "ocspsigningcert cert-pki-ca" track: yes auto-renew: yes Request ID 20200416082245'₽
giri f via FreeIPA-users wrote:
of certificates and requests being tracked: 9. est ID 20200416082225': status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SS connect error. stuck: no key pair storage: type-FILE, location=' /var/lib/ipa/ra-agent.key' certificate: type-FILE, location=' /var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=IPA RA, 0-ipa360. ORG expires: 2024-02-25 18:27:39 UTC key usage: digitalsignature, keyEncipherment, dataEncipherment eku: id-kp-serverAuth, id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usI/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID 20200416082243': status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SSL connect error. stuck: no key pair storage: type-NSSDB, location=' /etc/pki/pki-tomcat/alias', nickname='auditSigningCert cert-pki-ca', token-'OSS Certificate DB', pin s certificate: type=NSSDB, location='/etc/pki/pki-toncat/alias',nickname='auditSigningCert cert-pki-ca', token= 'NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority, 0-ipa360. ORG subject: CN=CA Audit, 0-ipa360. ORG expires: 2024-02-25 18:27:49 UTC key usage: digitalSignature, nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad I post-save command: /us/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track:yes auto-renew: yes Request ID 20200416082244*: status: CA UNREACHABLE ca-error: Error 35 connecting to https://ipa12.ipa360.org:8443/ca/agent/ca/profileReview: SSI connect error. stuck: no key pair storage: type-NSSDB, location='/etc/pki/pki-tomcat/alias', nickname-'ocspsigningCert cert-pki-ca', token= 'NSS Certificate DB', pin set certificate: type-NSSDB, location»'/etc/pki/pki-tomcat/alias', nickname='ocspsigningert cert-pki-ca', token= 'NSS Certificate DB" CA: dogtag-ipa-ca-renew-agent issuer: CN-Certificate Authority, 0-ipa360. ORG subject: CN-OCSP Subsystem, 0-ipa360. ORG expires: 2024-02-25 18:27:19 UTC eku: id-kp-ocspsigning pre-save command: /us/Libexec/ipa/certmonger/stop_pkicad post-save command: /usT/libexec/jpa/certmonger/renew_ca_cert "ocspsigningcert cert-pki-ca" track: yes auto-renew: yes Request ID 20200416082245'₽
So you'll need to back in time to February of this year. Restart IPA (be sure ntpd isn't restarted) and ensure things are basically functioning.
The restart certmonger and it should renew the certificates assuming this server is the renewal master (ipa config-show will tell you).
Once the certificates are successfully renewed, move forward in time, restart IPA and things should continue to work. rob
freeipa-users@lists.fedorahosted.org
-
giri f -
girish f
-
Rob Crittenden