Hi,
Thanks for the reply, I appreciate it. It looks like that is exactly the issue.
On the master server….
# certutil -L -d /etc/apache2/nssdb -n ipaCert | grep "Not After"
Not After : Wed Nov 21 01:25:31 2018
Also in ‘getcert list’ on the master….
Request ID '20161201012533':
status: CA_UNREACHABLE
ca-error: Error 77 connecting to
: Problem with the SSL CA cert
(path? access rights
?).
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XYZ.INTERNAL
subject: CN=CA Audit,O=XYZ.INTERNAL
expires: 2018-11-21 01:25:11 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
The issue appears to be exactly as described in
I’m pretty sure I’ve tried all the steps described in that thread, but I’ll go back and
double check.
Cheers
On Jan 8, 2019, at 8:03 PM, Florence Blanc-Renaud
<flo(a)redhat.com> wrote:
On 1/8/19 4:37 AM, Mitchell Smith via FreeIPA-users wrote:
> Hi List,
> I am running in to an issue joining a new replica to our IPA environment.
> It’s worth noting that we have had issues with expired certs on our master server for
a while but I thought we had resolved them, and when I connect to ports 443 and 636 on the
master server I get certs back expiring in 2020.
> So I have run IPA-client-install and the client joins successfully.
> I can ‘kinit admin’ and kerberos auth appears to work.
> When I run ipa-replica-install it hangs on step 27 restarting directory server.
> When I check syslog I see that dirsrv has failed to restart, and the following
message.
> Jan 8 02:20:11 ds02 certmonger[8516]: 2019-01-08 02:20:11 [8516] Server at
https://ds01.prod.xyz.internal/ipa/xml failed request, will retry: 907 (RPC failed at
server. cannot connect to
'https://ds01.prod.xyz.internal:443/ca/eeca/ca/profileSubmitSSLClient':
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
> Where ds02 is the new replica I am installing and ds01 is the original master.
> Running FreeIPA 4.3.1.
> Any suggestions on how to move past this point would be greatly appreciated.
> Thanks in advance.
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users(a)lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave(a)lists.fedorahosted.org
> Fedora Code of Conduct:
https://getfedora.org/code-of-conduct.html
> List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedoraho...
Hi,
can you check on ds02 if certmonger was able to get cert for the LDAP server (with
"getcert list")? If not, I suspect that the IPA RA agent certificate is expired
and as a consequence the installer was not able to get a cert for LDAP and HTTPs (the IPA
RA agent cert is used to authenticate to Dogtag, which is the component delivering
certs).
On the master, IPA RA agent is stored in /etc/httpd/alias with the nickname ipaCert.
Check if it is still valid with
# certutil -L -d /etc/httpd/alias -n ipaCert | grep "Not After"
If it is expired, you need to fix this issue first (it requires to move the date back in
time, so that the cert is still valid, and let certmonger renew it).
If it is not expired, check that the entry uid=ipara,ou=People,o=ipaca has been updated
with the most recent IPA RA agent certificate:
1. get the serial from the cert in the NSS db:
# certutil -L -d /etc/httpd/alias -n ipaCert | grep Serial
Serial Number: 7 (0x7)
2. get the whole cert in a single-line, without the header and trailer:
# certutil -L -d /etc/httpd/alias -n ipaCert -a | tail -n +2 | head -n -1 | tr -d
'\r\n'
MIIDv...
3. Check the content of the entry in LDAP:
# ldapsearch -D "cn=directory manager" -W -LLL -o ldif-wrap=no -b
uid=ipara,ou=people,o=ipaca description usercertificate
Enter LDAP Password:
dn: uid=ipara,ou=people,o=ipaca
description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA
RA,O=DOMAIN.COM
usercertificate:: MIIDv...
The description attribute must contain 2;<Serial from step 1>;CN=Certificate
Authority,O=<DOMAIN.COM>;CN=IPA RA,O=<DOMAIN.COM>
(replace <DOMAIN.COM> with your own domain).
The usercertificate attribute must contain the same value as obtained in step 2. If it is
not the case, you can use ldapmodify to update the certificate with the value obtained in
step 2 (do not forget to replace
DOMAIN.COM with your own domain).
# ldapmodify -x -D 'cn=directory manager' -w password
dn: uid=ipara,ou=people,o=ipaca
changetype: modify
add: usercertificate
usercertificate:: MIIDv...
-
replace: description
description: 2;7;CN=Certificate Authority,O=DOMAIN.COM;CN=IPA
RA,O=DOMAIN.COM
<extra blank line to finish>
HTH,
flo