ah yes, certificates and renewal, I have spend so much time with that!
A very good starting point for debugging is this excellent guide. https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-...
Regards Bjarne Blichfeldt.
From: Robson Francisco de Souza [mailto:rfsouza@usp.br] Sent: 18. november 2019 03:03 To: freeipa-users@lists.fedorahosted.org Subject: [Freeipa-users] certmonger error on ubuntu
Hello!
I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.
After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw
Still, I couldn't find a solution to this problem. If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:
1) Find a way to renew all certificates even if certmonger can't be fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade 2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04
Any help would be appreciated! Thanks!
Robson
======> Command: systemctl status certmonger
Nov 17 20:53:08 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:10:13 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:10:13 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3 Nov 17 21:10:13 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:20 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:20 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:21 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Nov 17 21:25:31 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent Nov 17 21:25:31 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3 Nov 17 21:25:31 ipa.cefapnet.icb.usp.brhttp://ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).
-- Robson Francisco de Souza, PhD Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL) Departamento de Microbiologia Instituto de Ciências Biomédicas Universidade de São Paulo Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar Tel: 3091-0891 Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil
---- Robson Francisco de Souza, PhD Protein Structure and Evolution Laboratory (LEEP/PSEL) Microbiology Departament Biomedical Sciences Institute University of Sao Paulo Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250 Phone: 55-11-3091-0891 Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil