On 25-10-18 14:18, Rob Crittenden wrote:
> Kees Bakker via FreeIPA-users wrote:
>> Could it be that this error already existed since we started? Notice
>> the Request ID of 2016..., and the expires: 2018-10-24.
>>
>> # getcert list -n ipaCert | sed blabla
>> Number of certificates and requests being tracked: 8.
>> Request ID '20161103094546':
>> status: CA_UNREACHABLE
>> ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>> stuck: no
>> key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>> certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
>> CA: dogtag-ipa-ca-renew-agent
>> issuer: CN=Certificate Authority,O=MYDOMAIN
>> subject: CN=IPA RA,O=MYDOMAIN
>> expires: 2018-10-24 08:45:40 UTC
>> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>> eku: id-kp-serverAuth,id-kp-clientAuth
>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>> track: yes
>> auto-renew: yes
>>
>> In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
> The problem is your certs expired yesterday so connections won't work
> (the code and message don't come from within certmonger).
>
> certmonger _should_ have renewed them. Try killing ntpd, going back a
> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and
> see what happens.
>
Easy for you to say. You know what you're doing :-)
For me it's all magic.
Anyway, I'll try it. I'm just scared to set the clock back, because there may
be clients in the network that use this server as a NTP server.
Another thing I want to mention is that the error started showing up two days
ago, on Oct 22, while the expiration is today, Oct 24.
It shouldn't take more than a few minutes to roll back time, restart
services and see what happens. I think your NTP clients will be able to
recover ok if the server is not available for a few minutes.
certmonger logs to syslog so you probably want to look at that to see if
you can find a reason the certs weren't renewed automatically.
rob