Hi!
Checked access log for today date:
--
<<IP>> - - [27/Jun/2018:10:57:38 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:57:41 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:57:51 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:00 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:11 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:14 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:24 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:33 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>>- - [27/Jun/2018:10:58:44 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:47 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
--
No other kind of responses, only timestamps vary.
There's no access_log-file with date 2018-03-16 but there is a Catalina.out-file with
that date
--
Mar 16, 2018 3:16:06 AM org.apache.catalina.core.ContainerBase backgroundProcess
WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@4a53d31b background
process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
at java.lang.Thread.run(Thread.java:748)
--
This seems to have gotten date of which I used on my "time travel". The error
matches 100% with Catalina.out with timestamp matching today.
Eemeli
-----Original Message-----
From: Florence Blanc-Renaud [mailto:flo@redhat.com]
Sent: keskiviikko 27. kesäkuuta 2018 10.40
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Jokinen Eemeli <Eemeli.Jokinen(a)cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
On 06/27/2018 08:56 AM, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
--
certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep
"Not Before"
Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d
/etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before"
Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d
/etc/httpd/alias/ -n Server-Cert | grep "Not Before"
Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep
"expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
--
So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using
https://access.redhat.com/solutions/3357261 as a guideline.
--
systemctl stop ntpd
date 031603162018
Fri Mar 16 03:16:00 EET 2018
systemctl restart certmonger
certutil -d /var/lib/pki/pki-tomcat/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8
"expires: 2018-03" | grep ID Request ID '20160331084233':
Request ID '20160331084234':
Request ID '20180611071929':
Request ID '20180615083528':
ipa-getcert resubmit -i 20160331084233 -v Resubmitting
"20160331084233" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20160331084234 -v Resubmitting
"20160331084234" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20180611071929 -v Resubmitting
"20180611071929" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20180615083528 -v Resubmitting
"20180615083528" to "dogtag-ipa-ca-renew-agent".
journalctl -n 20 -u certmonger
-- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27
08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Stopping
Certificate monitoring and PKI enrollment...
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting Certificate
monitoring and PKI enrollment...
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started Certificate monitoring
and PKI enrollment.
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16
fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00
fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5296]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5322]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]:
dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5676]: Forwarding request to dogtag-ipa-renew-agent Mar
16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]:
dogtag-ipa-renew-agent returned 2 getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET
2018
--
I waited for some time to be sure, no luck on my opinion:
--
date
Fri Mar 16 03:52:24 EET 2018
getcert list |grep expires
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
--
Also did steps 6 & 8 on the guideline page, certificates match. However step 7 fails
to error 500.
Error 500 is internal error. Can you check the content of Dogtag log?
/var/log/pki/pki-tomcat/localhost_access_log_$date.txt must show the command getCertChain
has been received:
10.37.171.235 - - [date] "GET /ca/ee/ca/getCertChain HTTP/1.1" 200 1534
and /var/log/pki/pki-tomcat/ca/debug may show more information. On a working system:
[date][http-bio-8443-exec-13]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[date][http-bio-8443-exec-13]: according to ccMode, authorization for
servlet: caGetCertChain is LDAP based, not XML {1}, use default authz
mgr: {2}.
[date][http-bio-8443-exec-13]: CMSServlet:service() uri = /ca/ee/ca/getCertChain
[date][http-bio-8443-exec-13]: CMSServlet: caGetCertChain start to service.
[date][http-bio-8443-exec-13]: GetCertChain: certificate chain:
[date][http-bio-8443-exec-13]: GetCertChain: - CN=Certificate
Authority,O=DOMAIN.COM
[date][http-bio-8443-exec-13]: CMSServlet: curDate=Wed Jun 27 09:33:23 CEST 2018
id=caGetCertChain time=22
[date][http-bio-8443-exec-13]: SignedAuditLogger: event ACCESS_SESSION_TERMINATED
Flo
Still wondering if I'm missing some kind of cert from certmonger
since the site says that after 7.4 (ok, RHEL, not CentOS) you should have 9 certificates
on "getcert list", I only have 8. However if I try to do the tracking requests
again as suggested by RHEL, I get no new certificates for my list.
Eemeli
-----Original Message-----
From: Florence Blanc-Renaud [mailto:flo@redhat.com]
Sent: tiistai 26. kesäkuuta 2018 21.28
To: FreeIPA users list <freeipa-users(a)lists.fedorahosted.org>
Cc: Jokinen Eemeli <Eemeli.Jokinen(a)cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade:
ipa-server-upgrade doesn't complete, pki-tomcatd won't start
Hi,
the journal shows that dogtag-ipa-renew-agent returned 2, it means "Rejected"
(see [1] for the return codes). This probably happens because the cert for IPA RA is no
longer valid (this cert is used to authenticate to Dogtag, and without proper
authentication any renewal op is refused).
The expired certificates all expire on 2018-03-21. On the other hand, ServerCert
cert-pki-ca, slapd and httpd certificates were properly renewed. You need to find at which
date they were renewed:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca'
| grep "Not Before")
# certutil -L -d /etc/dirsrv/slapd-$DOMAIN -n Server-Cert | grep "Not Before"
# certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
You need then to find a common date where all the certificates are valid (ie before
2018-03-21 so that the expired certs are not expired yet, and after the 'Not
Before' date so that the renewed certs are already valid).
Then stop ntpd, change the date to this common date, restart certmonger and look in the
journal if the renewal goes smoothly or if there are errors that could point you in the
right direction.
You can also find instructions on this blog post [2] to increase the log level for the
renewal.
HTH,
Flo
[1]
https://pagure.io/certmonger/blob/master/f/doc/submit.txt#_46
[2]
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-i
ssues-with-freeipa/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-leave(a)lists.fedorahosted.org
Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedo
rahosted.org/message/X6XG7L2WYYIHHT72V2OCRVSKINVRCPMU/