Hello.
I contact you because I have a problem of expired certificates on my IPA
servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20160321140609':
status: CA_UNREACHABLE
ca-error: Server at https://<HOST>/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<REALM>
subject: CN=<HOST>,O=<REALM>
expires: 2018-03-22 14:06:09 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20160321140642':
status: CA_UNREACHABLE
ca-error: Server at https://<HOST>/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<REALM>
subject: CN=<HOST>,O=<REALM>
expires: 2018-03-22 14:06:41 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20160321140750':
status: CA_UNREACHABLE
ca-error: Server at https://<HOST>/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=<REALM>
subject: CN=<HOST>,O=<REALM>
expires: 2018-03-22 14:07:50 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not
work anymore. I wonder if IPA itself work well or not when we have this
certificate problem ?
Anyway, I came back in time, to before the certificates expire :
###
service ntpd stop
date --set="2018-03-10 10:00:00"
###
And then I tried to renew these certificates with certmonger :
###
# ipa-getcert resubmit -i 20160321140609
Resubmitting "20160321140609" to "IPA".
# ipa-getcert resubmit -i 20160321140642
Resubmitting "20160321140642" to "IPA".
# ipa-getcert resubmit -i 20160321140750
Resubmitting "20160321140750" to "IPA".
###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a resubmit.
###
[Sat Mar 10 11:29:18 2018] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with
CMS (Not Found)
[Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>:
cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpMCcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEcsELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsLplC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GHWwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError
###
The CA service is running :
###
# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
###
I wonder what I could do ? Thank you in advance for your help.
BR.
Lune