Hi!
No I haven't since my guide line didn't tell me to.
I tried to set the date back, restart certmonger and then I did "ipactl restart"
and then it got 2 certs renewed! One of the remaining two certificates was on
"CA_UNREACHABLE" state, so I ran another certmonger restart and it did get
updated. The last one didn't seem to go anywhere so I resubmitted the cert request and
then that one also got renewed. I time jumped back to today and did another ipactl restart
and All this mess got started with failed "ipa-server-upgrade" so I ran it
afterwards and it completed successfully with no errors. That also increased the number of
certmonger tracked certificates to 9 from 8 so I believe that one is fixed too.
Thank you a lot! It's a bit complicated mess to understand every aspect of it (for
example I was trying to hunt missing certificate that certmonger didn't track even
though it wasn't the issue but the outcome of failed server upgrade) but after this I
believe very that I understand it a way better!
Eemeli
-----Original Message-----
From: Rob Crittenden [mailto:rcritten@redhat.com]
Sent: keskiviikko 27. kesäkuuta 2018 16.26
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Florence Blanc-Renaud
<flo(a)redhat.com>
Cc: Jokinen Eemeli <Eemeli.Jokinen(a)cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
Jokinen Eemeli via FreeIPA-users wrote:
Hi!
--
certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep
"Not Before"
Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d
/etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before"
Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d
/etc/httpd/alias/ -n Server-Cert | grep "Not Before"
Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep
"expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
--
So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using
https://access.redhat.com/solutions/3357261 as a guideline.
--
systemctl stop ntpd
date 031603162018
Fri Mar 16 03:16:00 EET 2018
systemctl restart certmonger
certutil -d /var/lib/pki/pki-tomcat/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8
"expires: 2018-03" | grep ID Request ID '20160331084233':
Request ID '20160331084234':
Request ID '20180611071929':
Request ID '20180615083528':
ipa-getcert resubmit -i 20160331084233 -v Resubmitting
"20160331084233" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20160331084234 -v Resubmitting
"20160331084234" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20180611071929 -v Resubmitting
"20180611071929" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20180615083528 -v Resubmitting
"20180615083528" to "dogtag-ipa-ca-renew-agent".
journalctl -n 20 -u certmonger
-- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27
08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Stopping
Certificate monitoring and PKI enrollment...
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting Certificate
monitoring and PKI enrollment...
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started Certificate monitoring
and PKI enrollment.
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16
fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5296]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5322]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5676]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]:
dogtag-ipa-renew-agent returned 2 getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET
2018
--
I waited for some time to be sure, no luck on my opinion:
--
date
Fri Mar 16 03:52:24 EET 2018
getcert list |grep expires
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
--
Also did steps 6 & 8 on the guideline page, certificates match. However step 7 fails
to error 500.
Still wondering if I'm missing some kind of cert from certmonger since the site says
that after 7.4 (ok, RHEL, not CentOS) you should have 9 certificates on "getcert
list", I only have 8. However if I try to do the tracking requests again as suggested
by RHEL, I get no new certificates for my list.
Hard to know without seeing the list of certs.
Are you restarting dogtag, Apache and 389-ds when setting the date back?
That is necessary as well.
rob