Grateful for your response, Rob
On Tue, May 17, 2022 at 9:41 PM Rob Crittenden <rcritten(a)redhat.com> wrote:
> sh-4.2# ipa --version
> VERSION: 4.6.8, API_VERSION: 2.237
>
> ipa-cert-fix fails with The ipa-cert-fix command failed, exception:
> RuntimeError: Failed to get Server-Cert
> Indeed, it doesn't present in /etc/httpd/alias though still it presents
> in /etc/pki/pki-tomcat/alias
How did you confirm this, using certutil? I assume the httpd process
won't start?
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
httpd process started, but i didn't mention (sorry) i have letsencrypt
certs for httpd installed via ipa-server-certinstall
could this be the reason why the internal certs were not updated?
Here's all i have in /etc/httpd/alias
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
<mydomain> IPA CA CT,C,C
CN=R3,O=Let's Encrypt,C=US C,,
<mydomain> IPA CA CT,C,C
CN=ISRG Root X1,O=Internet Security Research Group,C=US C,,
<mydomain> IPA CA CT,C,C
CN=<mydomain> u,u,u (letsencrypt for
my domain)
Yes, using certutil i can see the absence of Server-Cert in /etc/httpd/alias
Also for some reason when trying to
getcert list -d /etc/httpd/alias
I'm only getting this without detailed list
Number of certificates and requests being tracked: 8.
While on
getcert list -d /etc/pki/pki-tomcat/alias
outputs all the certificates and status
Is the key there:
certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
I have key and i have "Server-Cert cert-pki-ca" in
/etc/pki/pki-tomcat/alias
I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat
alias and imported into
/etc/httpd/alias using p12util
Still, ipa-cert-fix is unable to find it:
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L
-n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
100, in run
certs, extra_certs = expired_certs(now)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
142, in expired_certs
return expired_dogtag_certs(now), expired_ipa_certs(now)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
191, in expired_ipa_certs
cert = db.get_cert('Server-Cert')
File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in
get_cert
raise RuntimeError("Failed to get %s" % nickname)
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
RuntimeError: Failed to get Server-Cert
ipapython.admintool: ERROR: Failed to get Server-Cert
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
Is there certmonger tracking for it?
getcert list -d /etc/httpd/alias
If there is then you can get a copy of the certificate from
/var/lib/certmonger/requests and try re-installing it with certutil.
Though later you say you can start everything with a date in the past so
this is confusing.
certmonger service is running attempts to renew certificates permanently
but fails
i can see requests for valid ID's in /var/lib/certmonger/requests but they
still not processed (probably my attempts to resubmit manually)
> I went through the suggested document and nothing seems to
work.
>
> Manual renew via ipa-getcert resubmit also fails with different errors
> such as
> status: MONITORING
> ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"
> replied: 1: Request 9980034 Not Found
On which certificate?
Request ID '20171204131516':
status: MONITORING
ca-error: Server at "https://myhostname:8443/ca/agent/ca/profileProcess"
replied: 1: Request 9980034 Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent-selfsigned
expires: 2041-12-28 08:53:41 UTC
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
And there's no errors for others in /etc/pki/pki-tomcat/alias
status: CA_UNREACHABLE
> ca-error: Error setting up ccache for "host" service on client using
> default keytab: Cannot contact any KDC for realm ...
This can happen if all of IPA is not running. certmonger uses the host
keytab to authentication to the IPA API.
ok we ignore this for now.
The certificates which were not renewed are:
"ocspSigningCert cert-pki-ca"
"subsystemCert cert-pki-ca"
"Server-Cert cert-pki-ca"
What else should i try?
rob
Great thanks