On 26-10-18 18:00, Timo Aaltonen wrote:
> On 26.10.2018 18.59, Kees Bakker wrote:
>> On 26-10-18 14:55, Timo Aaltonen wrote:
>>> On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote:
>>>> On 25-10-18 20:46, Timo Aaltonen wrote:
>>>>> On 25.10.2018 21.44, Rob Crittenden wrote:
>>>>>> Kees Bakker wrote:
>>>>>>> On 25-10-18 16:11, Rob Crittenden wrote:
>>>>>>>> Kees Bakker via FreeIPA-users wrote:
>>>>>>>>> On 25-10-18 14:18, Rob Crittenden wrote:
>>>>>>>>>> Kees Bakker via FreeIPA-users wrote:
>>>>>>>>>>> Could it be that this error already existed
since we started? Notice
>>>>>>>>>>> the Request ID of 2016..., and the expires:
2018-10-24.
>>>>>>>>>>>
>>>>>>>>>>> # getcert list -n ipaCert | sed blabla
>>>>>>>>>>> Number of certificates and requests being
tracked: 8.
>>>>>>>>>>> Request ID '20161103094546':
>>>>>>>>>>> status: CA_UNREACHABLE
>>>>>>>>>>> ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>>>>>>>>>>> stuck: no
>>>>>>>>>>> key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>>>>>>>>>>> certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
>>>>>>>>>>> CA: dogtag-ipa-ca-renew-agent
>>>>>>>>>>> issuer: CN=Certificate
Authority,O=MYDOMAIN
>>>>>>>>>>> subject: CN=IPA RA,O=MYDOMAIN
>>>>>>>>>>> expires: 2018-10-24 08:45:40 UTC
>>>>>>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>>>>>>>> pre-save command:
/usr/lib/ipa/certmonger/renew_ra_cert_pre
>>>>>>>>>>> post-save command:
/usr/lib/ipa/certmonger/renew_ra_cert
>>>>>>>>>>> track: yes
>>>>>>>>>>> auto-renew: yes
>>>>>>>>>>>
>>>>>>>>>>> In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
>>>>>>>>>> The problem is your certs expired yesterday so
connections won't work
>>>>>>>>>> (the code and message don't come from within
certmonger).
>>>>>>>>>>
>>>>>>>>>> certmonger _should_ have renewed them. Try
killing ntpd, going back a
>>>>>>>>>> few days, restart krb5kdc, dirsrv, httpd and the
CA then certmonger and
>>>>>>>>>> see what happens.
>>>>>>>>>>
>>>>>>>>> Easy for you to say. You know what you're doing
:-)
>>>>>>>>> For me it's all magic.
>>>>>>>>>
>>>>>>>>> Anyway, I'll try it. I'm just scared to set
the clock back, because there may
>>>>>>>>> be clients in the network that use this server as a
NTP server.
>>>>>>>>>
>>>>>>>>> Another thing I want to mention is that the error
started showing up two days
>>>>>>>>> ago, on Oct 22, while the expiration is today, Oct
24.
>>>>>>>>>
>>>>>>>> It shouldn't take more than a few minutes to roll
back time, restart
>>>>>>>> services and see what happens. I think your NTP clients
will be able to
>>>>>>>> recover ok if the server is not available for a few
minutes.
>>>>>>>>
>>>>>>>> certmonger logs to syslog so you probably want to look at
that to see if
>>>>>>>> you can find a reason the certs weren't renewed
automatically.
>>>>>>>>
>>>>>>> No, that didn't help.
>>>>>>> And in the syslog there was nothing more than this. (I had to
stop the
>>>>>>> nameserver because it was spitting out lots of messages.)
>>>>>>>
>>>>>>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed
>>>>>>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed
>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate
monitoring and PKI enrollment...
>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate
monitoring and PKI enrollment.
>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate
monitoring and PKI enrollment...
>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate
monitoring and PKI enrollment.
>>>>>>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11
06:00:05 [131018] Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profile
>>>>>>> Review: Problem with the SSL CA cert (path? access rights?).
>>>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit:
Forwarding request to dogtag-ipa-renew-agent
>>>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit:
dogtag-ipa-renew-agent returned 3
>>>>>>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11
06:00:07 [131018] Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>>>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit:
Forwarding request to dogtag-ipa-renew-agent
>>>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit:
dogtag-ipa-renew-agent returned 3
>>>>>>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11
06:00:17 [131018] Error 77 connecting to
https://ipasrv:8443/ca/agent/ca/profileReview:
Problem with the SSL CA cert (path? access rights?).
>>>>>>>
>>>>>> Ok, I think I know what is going on. This is Ubuntu which AFAIK
still
>>>>>> lacks nss-pem. That is probably why it can't connect to renew
the certs.
>>>>>>
>>>>>> I don't know if there is a workaround. Timo, do you know?
>>>>> Ubuntu 18.04 and up have libnsspem, and certmonger depends on it.
I've
>>>>> never tested cert renewal though.
>>>>>
>>>> Does that mean, I'm screwed? What options do I have?
>>>> Live with it?
>>>> Migrate to, say Centos?
>>>> Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it
will work)?
>>>> Something else?
>>> Stock 18.04 has other issues, there's an updated version on
>>> ppa:freeipa/staging which is backported from 18.10 and should be fine
>>> and hopefully provided as a stable update on 18.04 later on.
>>>
>>> But you could try pulling libnsspem from 18.04, and *then* roll back time?
>>>
>> I installed libnsspem_1.0.3-0ubuntu2_amd64.deb
>>
>> Then I stopped ntp (and bind).
>> Set the time back to Oct 11
>> Restarted krb5-kdc, dirsrv@MYDOMAIN, apache2, pki-tomcatd, certmonger
>> (in that order).
>>
>> Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
>> Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 3
>> Oct 11 06:08:03 ipasrv certmonger[168327]: 2018-10-11 06:08:03 [168327] Error 60
connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
>> Oct 11 06:08:12 ipasrv certmonger[168327]: 2018-10-11 06:08:12 [168327] Error 60
connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer certificate
cannot be authenticated with given CA certificates.
>>
>> :-(
>>
>> Rob said also to restart CA.
>> "restart krb5kdc, dirsrv, httpd and the CA then certmonger"
>> I don't know which service that is. Does that matter?
> systemctl restart ipa?
>
>
I'm a bit scared to restart service ipa, because it also restarts several other
services,
link bind, and perhaps ntp. The latter is the one that I want to be absolutely in
control
of not starting.
CA is 'pki-tomcatd', dirsrv is 'dirsrv@REALM' if
you want to avoid
restarting the whole thing
--
t