Hi,
On Wed, Dec 18, 2024 at 11:00 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I tryied to update certs on test environment with this instructions, but it updated webserver's certs only with CA_UNREACHABLE status. https://www.freeipa.org/page/IPA_2x_Certificate_Renewal
The above instructions are for IPA 2.x and do not apply to IPA 4.11. The code of the CA helpers was consolidated and the tracking requests do not use the same CA helpers.
Number of certificates and requests being tracked: 8. Request ID '20221130052539': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
With IPA 4.11 this cert is using the CA helper dogtag-ipa-ca-renew-agent, not dogtag-ipa-renew-agent.
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=CA Audit,O=DOM.LOC expires: 2024-11-19 05:25:15 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert"auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052540': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment, the tracking is now using a wrong CA helper.
issuer: CN=Certificate Authority,O=DOM.LOC
subject: CN=OCSP Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign eku: id-kp-OCSPSigning pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert"ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052541': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment.
issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=CA Subsystem,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052542': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=Certificate Authority,O=DOM.LOC expires: 2042-11-30 05:25:14 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052543': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment
issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=IPA RA,O=DOM.LOC expires: 2024-11-19 05:25:36 UTC key usage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/lib/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20221130052544': status: CA_UNREACHABLE ca-error: Error 7 connecting to https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to server. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-renew-agent
Same comment.
issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2024-11-19 05:25:14 UTC key usage:digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth pre-save command: /usr/lib/ipa/certmonger/stop_pkicad post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20221130052605': status: CA_UNREACHABLE ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 21:32:34 UTC principal name: ldap/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC track: yes auto-renew: yes Request ID '20221130052625': status: CA_UNREACHABLE ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)). stuck: no key pair storage: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' certificate: type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DOM.LOC subject: CN=ipa.dom.loc,O=DOM.LOC expires: 2026-10-18 21:32:23 UTC principal name: HTTP/ipa.dom.loc@DOM.LOC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib/ipa/certmonger/restart_httpd track: yes auto-renew: yes
You will have to fix the tracking requests first (call getcert start-tracking with the right -c argument), and then you can follow the link https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline I provided in my first message or this one: https://www.freeipa.org/page/Troubleshooting/PKI.html#ipa-won-t-start-expire... to use ipa-cert-fix.
HTH, flo
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue