Kees Bakker via FreeIPA-users wrote:
> On 25-10-18 14:18, Rob Crittenden wrote:
>> Kees Bakker via FreeIPA-users wrote:
>>> Could it be that this error already existed since we started? Notice
>>> the Request ID of 2016..., and the expires: 2018-10-24.
>>>
>>> # getcert list -n ipaCert | sed blabla
>>> Number of certificates and requests being tracked: 8.
>>> Request ID '20161103094546':
>>> status: CA_UNREACHABLE
>>> ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>>> stuck: no
>>> key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>>> certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
>>> CA: dogtag-ipa-ca-renew-agent
>>> issuer: CN=Certificate Authority,O=MYDOMAIN
>>> subject: CN=IPA RA,O=MYDOMAIN
>>> expires: 2018-10-24 08:45:40 UTC
>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>>> track: yes
>>> auto-renew: yes
>>>
>>> In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
>> The problem is your certs expired yesterday so connections won't work
>> (the code and message don't come from within certmonger).
>>
>> certmonger _should_ have renewed them. Try killing ntpd, going back a
>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and
>> see what happens.
>>
> Easy for you to say. You know what you're doing :-)
> For me it's all magic.
>
> Anyway, I'll try it. I'm just scared to set the clock back, because there
may
> be clients in the network that use this server as a NTP server.
>
> Another thing I want to mention is that the error started showing up two days
> ago, on Oct 22, while the expiration is today, Oct 24.
>
It shouldn't take more than a few minutes to roll back time, restart
services and see what happens. I think your NTP clients will be able to
recover ok if the server is not available for a few minutes.
certmonger logs to syslog so you probably want to look at that to see if
you can find a reason the certs weren't renewed automatically.
No, that didn't help.
And in the syslog there was nothing more than this. (I had to stop the
nameserver because it was spitting out lots of messages.)
Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed
Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed
Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and PKI enrollment...
Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and PKI enrollment.
Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and PKI enrollment...
Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and PKI enrollment.
Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] Error 77
connecting to
Review: Problem with the SSL CA cert (path? access rights?).
Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned
3
Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] Error 77
connecting to
: Problem with the SSL
CA cert (path? access rights?).
Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned
3
Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] Error 77
connecting to