Jokinen Eemeli wrote:
Hi!
No I haven't since my guide line didn't tell me to.
I tried to set the date back, restart certmonger and then I did "ipactl
restart" and then it got 2 certs renewed! One of the remaining two certificates was
on "CA_UNREACHABLE" state, so I ran another certmonger restart and it did get
updated. The last one didn't seem to go anywhere so I resubmitted the cert request and
then that one also got renewed. I time jumped back to today and did another ipactl restart
and All this mess got started with failed "ipa-server-upgrade" so I ran it
afterwards and it completed successfully with no errors. That also increased the number of
certmonger tracked certificates to 9 from 8 so I believe that one is fixed too.
There are layers of dependencies on the certs so sometimes multiple
rounds of renewal are needed to sort things out. This normally happens
gracefully as expiration approaches but in some cases that we haven't
been able to identify this doesn't happen.
Thank you a lot! It's a bit complicated mess to understand every aspect of it (for
example I was trying to hunt missing certificate that certmonger didn't track even
though it wasn't the issue but the outcome of failed server upgrade) but after this I
believe very that I understand it a way better!
Cool, glad you are back up and running.
Note that the cert issues weren't caused by the upgrade, the upgrade
just made it more apparent.
In order to be sure the upgrade is complete you should run: #
ipa-server-upgrade
The upgrade will also check all of the certs tracked by certmonger and
ensure they are set up correctly.
rob
Eemeli
-----Original Message-----
From: Rob Crittenden [mailto:rcritten@redhat.com]
Sent: keskiviikko 27. kesäkuuta 2018 16.26
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>; Florence
Blanc-Renaud <flo(a)redhat.com>
Cc: Jokinen Eemeli <Eemeli.Jokinen(a)cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
Jokinen Eemeli via FreeIPA-users wrote:
> Hi!
>
> --
> certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep
"Not Before"
> Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d
> /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before"
> Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d
> /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
> Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep
> "expires"
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC
> --
>
> So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using
https://access.redhat.com/solutions/3357261 as a guideline.
>
> --
> systemctl stop ntpd
> date 031603162018
> Fri Mar 16 03:16:00 EET 2018
> systemctl restart certmonger
> certutil -d /var/lib/pki/pki-tomcat/alias/ -L
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> auditSigningCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-ca CTu,Cu,Cu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
> getcert list | grep "expires"
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8
> "expires: 2018-03" | grep ID Request ID '20160331084233':
> Request ID '20160331084234':
> Request ID '20180611071929':
> Request ID '20180615083528':
> ipa-getcert resubmit -i 20160331084233 -v Resubmitting
> "20160331084233" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20160331084234 -v Resubmitting
> "20160331084234" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20180611071929 -v Resubmitting
> "20180611071929" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20180615083528 -v Resubmitting
> "20180615083528" to "dogtag-ipa-ca-renew-agent".
> journalctl -n 20 -u certmonger
> -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27
> 08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Stopping
Certificate monitoring and PKI enrollment...
> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting Certificate
monitoring and PKI enrollment...
> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started Certificate
monitoring and PKI enrollment.
> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
> ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16
> fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1
> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
> ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5296]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5322]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5676]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]:
dogtag-ipa-renew-agent returned 2 getcert list | grep "expires"
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET
> 2018
> --
>
> I waited for some time to be sure, no luck on my opinion:
>
> --
> date
> Fri Mar 16 03:52:24 EET 2018
> getcert list |grep expires
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC
> --
>
> Also did steps 6 & 8 on the guideline page, certificates match. However step 7
fails to error 500.
>
> Still wondering if I'm missing some kind of cert from certmonger since the site
says that after 7.4 (ok, RHEL, not CentOS) you should have 9 certificates on "getcert
list", I only have 8. However if I try to do the tracking requests again as suggested
by RHEL, I get no new certificates for my list.
Hard to know without seeing the list of certs.
Are you restarting dogtag, Apache and 389-ds when setting the date back?
That is necessary as well.
rob