Kees Bakker wrote:
> On 25-10-18 16:11, Rob Crittenden wrote:
>> Kees Bakker via FreeIPA-users wrote:
>>> On 25-10-18 14:18, Rob Crittenden wrote:
>>>> Kees Bakker via FreeIPA-users wrote:
>>>>> Could it be that this error already existed since we started? Notice
>>>>> the Request ID of 2016..., and the expires: 2018-10-24.
>>>>>
>>>>> # getcert list -n ipaCert | sed blabla
>>>>> Number of certificates and requests being tracked: 8.
>>>>> Request ID '20161103094546':
>>>>> status: CA_UNREACHABLE
>>>>> ca-error: Error 77 connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>>>>> stuck: no
>>>>> key pair storage:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt'
>>>>> certificate:
type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS
Certificate DB'
>>>>> CA: dogtag-ipa-ca-renew-agent
>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN
>>>>> subject: CN=IPA RA,O=MYDOMAIN
>>>>> expires: 2018-10-24 08:45:40 UTC
>>>>> key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>>>> eku: id-kp-serverAuth,id-kp-clientAuth
>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre
>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
>>>>> track: yes
>>>>> auto-renew: yes
>>>>>
>>>>> In other words, is this the same issue as
https://pagure.io/freeipa/issue/7422 ?
>>>> The problem is your certs expired yesterday so connections won't
work
>>>> (the code and message don't come from within certmonger).
>>>>
>>>> certmonger _should_ have renewed them. Try killing ntpd, going back a
>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and
>>>> see what happens.
>>>>
>>> Easy for you to say. You know what you're doing :-)
>>> For me it's all magic.
>>>
>>> Anyway, I'll try it. I'm just scared to set the clock back, because
there may
>>> be clients in the network that use this server as a NTP server.
>>>
>>> Another thing I want to mention is that the error started showing up two
days
>>> ago, on Oct 22, while the expiration is today, Oct 24.
>>>
>> It shouldn't take more than a few minutes to roll back time, restart
>> services and see what happens. I think your NTP clients will be able to
>> recover ok if the server is not available for a few minutes.
>>
>> certmonger logs to syslog so you probably want to look at that to see if
>> you can find a reason the certs weren't renewed automatically.
>>
>
> No, that didn't help.
> And in the syslog there was nothing more than this. (I had to stop the
> nameserver because it was spitting out lots of messages.)
>
> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed
> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed
> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and PKI
enrollment...
> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and PKI
enrollment.
> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and PKI
enrollment...
> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and PKI
enrollment.
> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] Error 77
connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profile
> Review: Problem with the SSL CA cert (path? access rights?).
> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 3
> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] Error 77
connecting to
https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL
CA cert (path? access rights?).
> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to
dogtag-ipa-renew-agent
> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent
returned 3
> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] Error 77
connecting to
https://ipasrv:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert
(path? access rights?).
>
Ok, I think I know what is going on. This is Ubuntu which AFAIK still
lacks nss-pem. That is probably why it can't connect to renew the certs.
I don't know if there is a workaround. Timo, do you know?
Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've
never tested cert renewal though.
--
t