On 25.10.2018 21.44, Rob Crittenden wrote:
> Kees Bakker wrote:
>> On 25-10-18 16:11, Rob Crittenden wrote:
>>> Kees Bakker via FreeIPA-users wrote:
>>>> On 25-10-18 14:18, Rob Crittenden wrote:
>>>>> Kees Bakker via FreeIPA-users wrote:
>>>>>> Could it be that this error already existed since we started?
Notice
>>>>>> the Request ID of 2016..., and the expires: 2018-10-24.
>>>>>>
>>>>>> # getcert list -n ipaCert | sed blabla
>>>>>> Number of certificates and requests being tracked: 8.
>>>>>> Request ID '20161103094546':
>>>>>> status: CA_UNREACHABLE
>>>>>> ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>>>>>> stuck: no
>>>>>> key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>>>>>> certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
>>>>>> CA: dogtag-ipa-ca-renew-agent
>>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN
>>>>>> subject: CN=IPA RA,O=MYDOMAIN
>>>>>> expires: 2018-10-24 08:45:40 UTC
>>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>>>>>> track: yes
>>>>>> auto-renew: yes
>>>>>>
>>>>>> In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
>>>>> The problem is your certs expired yesterday so connections won't
work
>>>>> (the code and message don't come from within certmonger).
>>>>>
>>>>> certmonger _should_ have renewed them. Try killing ntpd, going back
a
>>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger
and
>>>>> see what happens.
>>>>>
>>>> Easy for you to say. You know what you're doing :-)
>>>> For me it's all magic.
>>>>
>>>> Anyway, I'll try it. I'm just scared to set the clock back,
because there may
>>>> be clients in the network that use this server as a NTP server.
>>>>
>>>> Another thing I want to mention is that the error started showing up two
days
>>>> ago, on Oct 22, while the expiration is today, Oct 24.
>>>>
>>> It shouldn't take more than a few minutes to roll back time, restart
>>> services and see what happens. I think your NTP clients will be able to
>>> recover ok if the server is not available for a few minutes.
>>>
>>> certmonger logs to syslog so you probably want to look at that to see if
>>> you can find a reason the certs weren't renewed automatically.
>>>
>> No, that didn't help.
>> And in the syslog there was nothing more than this. (I had to stop the
>> nameserver because it was spitting out lots of messages.)
>>
>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed
>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed
>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and PKI
enrollment...
>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and PKI
enrollment.
>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and PKI
enrollment...
>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and PKI
enrollment.
>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] Error 77
connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profile
>> Review: Problem with the SSL CA cert (path? access rights?).
>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 3
>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] Error 77
connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 3
>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] Error 77
connecting to
https://ipasrv:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>>
> Ok, I think I know what is going on. This is Ubuntu which AFAIK still
> lacks nss-pem. That is probably why it can't connect to renew the certs.
>
> I don't know if there is a workaround. Timo, do you know?
Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've
never tested cert renewal though.
Does that mean, I'm screwed? What options do I have?
Live with it?
Migrate to, say Centos?
Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it will work)?
Something else?
--
Kees