ah yes, certificates and renewal, I have spend so much time with that!

 

A very good starting point for debugging is this excellent guide. https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/

 

 

Regards

Bjarne Blichfeldt.

 

From: Robson Francisco de Souza [mailto:rfsouza@usp.br]
Sent: 18. november 2019 03:03
To: freeipa-users@lists.fedorahosted.org
Subject: [Freeipa-users] certmonger error on ubuntu

 

Hello!

 

I've been running FreeIPA 4.3.1 on Ubuntu 16.04 for almost two years and most certificates should expire within three weeks. As this deadline approaches, I noticed certmonger has been unable to renew certificates due to the error below.

 

After googling for two days, I found this issue has been observed by many people before, mostly after expiration of the certificates, as in https://tinyurl.com/vajmocw

 

Still, I couldn't find a solution to this problem.

If it is impossible to fix this issue while using FreeIPA 4.3.1, I would like to:

 

1) Find a way to renew all certificates even if certmonger can't be fixed. This would allow me to postpone the solution to after the next OS and/or FreeIPA upgrade

2) Find out what version of FreeIPA I should upgrade to while the operating system remains Ubuntu 16.04

 

Any help would be appreciated!

Thanks!

 

Robson

 

======> Command: systemctl status certmonger

 

Nov 17 20:53:08 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 20:53:08 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: Forwarding request to dogtag-ipa-renew-agent

Nov 17 21:10:13 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875188]: dogtag-ipa-renew-agent returned 3

Nov 17 21:10:13 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:10:13 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: Forwarding request to dogtag-ipa-renew-agent

Nov 17 21:25:20 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875738]: dogtag-ipa-renew-agent returned 3

Nov 17 21:25:21 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:21 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: Forwarding request to dogtag-ipa-renew-agent

Nov 17 21:25:31 ipa.cefapnet.icb.usp.br dogtag-ipa-ca-renew-agent-submit[3875766]: dogtag-ipa-renew-agent returned 3

Nov 17 21:25:31 ipa.cefapnet.icb.usp.br certmonger[3873125]: 2019-11-17 21:25:31 [3873125] Error 77 connecting to https://ipa.cefapnet.icb.usp.br:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?).

 

--

Robson Francisco de Souza, PhD
Laboratório de Estrutura e Evolução de Proteínas (LEEP/PSEL)
Departamento de Microbiologia
Instituto de Ciências Biomédicas
Universidade de São Paulo
Av. Prof. Lineu Prestes, 1374 - Ed. Biomédicas II - Sala 250 - 2o. andar
Tel: 3091-0891
Cidade Universitária - CEP 05508-900 - São Paulo - SP - Brasil


----
Robson Francisco de Souza, PhD
Protein Structure and Evolution Laboratory (LEEP/PSEL)
Microbiology Departament
Biomedical Sciences Institute
University of Sao Paulo
Av. Prof. Lineu Prestes, 1374 - Biomédicas II - Sala 250
Phone: 55-11-3091-0891
Cidade Universitária - ZIP 05508-900 - São Paulo - SP - Brazil