Hello,
I have a freeipa server (ipa-server-4.5.0-22.el7.centos.x86_64). Сertificates expired in April 2022 and why certmonger did not renew them is not clear.
getcert list
Request ID '20180510155654': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2024-03-07 17:47:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20180510155804': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2024-03-05 17:47:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155805': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2024-03-07 17:47:15 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155806': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2024-03-05 17:47:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155807': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2038-05-10 15:56:32 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155808': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://freeipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-15 04:47:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155834': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-25 20:55:59 UTC dns: freeipa.example.com principal name: ldap/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20180510155907': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-26 06:11:51 UTC dns: freeipa.example.com principal name: ldap/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20180510155922': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-25 20:56:54 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20180720144614': status: CA_REJECTED ca-error: Server at https://freeipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/pb-freeipa@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=cb,dc=com'.). stuck: yes key pair storage: type=FILE,location='/etc/pki/tls/private/pb-freeipa.key' certificate: type=FILE,location='/etc/pki/tls/certs/pb-freeipa.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180720151813': status: NEED_KEY_GEN_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert',pin set certificate: type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180720152853': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/freeipa.example.com.key' certificate: type=FILE,location='/etc/pki/tls/certs/freeipa.example.com.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-25 20:57:24 UTC dns: freeipa.example.com principal name: HTTP/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180723075009': status: NEED_CSR stuck: no key pair storage: type=FILE,location='/root/OVPN_CLIENT_1.key' certificate: type=FILE,location='/root/OVPN_CLIENT_1.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2020-07-23 07:50:10 UTC dns: freeipa.example.com principal name: host/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180723075356': status: CA_REJECTED ca-error: Server at https://freeipa.example.com/ipa/xml denied our request, giving up: 3009 (RPC failed at server. invalid 'csr': hostname in subject of request 'OVPN_CLIENT_1' does not match name or aliases of principal 'HTTP/freeipa.example.com@EXAMPLE.COM'). stuck: yes key pair storage: type=FILE,location='/root/OVPN_CLIENT_2.key' certificate: type=FILE,location='/root/OVPN_CLIENT_2.pem' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180723075553': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=FILE,location='/root/OVPN_CLIENT_3.key' certificate: type=FILE,location='/root/OVPN_CLIENT_3.pem' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20200514145151': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=FILE,location='/home/user/vpn-user.key' certificate: type=FILE,location='/home/user/vpn-user.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-05-15 14:51:52 UTC dns: freeipa.example.com principal name: host/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20200514150206': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=FILE,location='/home/user/freeipa.example.com.key' certificate: type=FILE,location='/home/user/freeipa.example.com.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-05-15 15:02:07 UTC dns: freeipa.example.com principal name: host/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
I tried to update the certificates using the information from the following links:
https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certific... https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-... https://listman.redhat.com/archives/freeipa-users/2017-January/msg00216.html
but it was not possible to update expired certificates.
Please would you tell how to solve the problem.
john john via FreeIPA-users wrote:
Hello,
I have a freeipa server (ipa-server-4.5.0-22.el7.centos.x86_64). Сertificates expired in April 2022 and why certmonger did not renew them is not clear.
getcert list
Request ID '20180510155654': status: MONITORING stuck: no key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=IPA RA,O=EXAMPLE.COM expires: 2024-03-07 17:47:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert track: yes auto-renew: yes Request ID '20180510155804': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Audit,O=EXAMPLE.COM expires: 2024-03-05 17:47:13 UTC key usage: digitalSignature,nonRepudiation pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155805': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=OCSP Subsystem,O=EXAMPLE.COM expires: 2024-03-07 17:47:15 UTC eku: id-kp-OCSPSigning pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155806': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=CA Subsystem,O=EXAMPLE.COM expires: 2024-03-05 17:47:23 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155807': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=Certificate Authority,O=EXAMPLE.COM expires: 2038-05-10 15:56:32 UTC key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155808': status: CA_UNREACHABLE ca-error: Error 60 connecting to https://freeipa.example.com:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. stuck: no key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-15 04:47:25 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes Request ID '20180510155834': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-25 20:55:59 UTC dns: freeipa.example.com principal name: ldap/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv EXAMPLE-COM track: yes auto-renew: yes Request ID '20180510155907': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-26 06:11:51 UTC dns: freeipa.example.com principal name: ldap/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes Request ID '20180510155922': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-25 20:56:54 UTC principal name: krbtgt/EXAMPLE.COM@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-pkinit-KPKdc pre-save command: post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert track: yes auto-renew: yes Request ID '20180720144614': status: CA_REJECTED ca-error: Server at https://freeipa.example.com/ipa/xml denied our request, giving up: 2100 (RPC failed at server. Insufficient access: Insufficient 'add' privilege to add the entry 'krbprincipalname=HTTP/pb-freeipa@EXAMPLE.COM,cn=services,cn=accounts,dc=example,dc=cb,dc=com'.). stuck: yes key pair storage: type=FILE,location='/etc/pki/tls/private/pb-freeipa.key' certificate: type=FILE,location='/etc/pki/tls/certs/pb-freeipa.crt' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180720151813': status: NEED_KEY_GEN_PIN stuck: yes key pair storage: type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert',pin set certificate: type=NSSDB,location='/etc/ipa/certdb',nickname='Server-Cert' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180720152853': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Failed connect to freeipa.example.com:443; Connection refused). stuck: no key pair storage: type=FILE,location='/etc/pki/tls/private/freeipa.example.com.key' certificate: type=FILE,location='/etc/pki/tls/certs/freeipa.example.com.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-04-25 20:57:24 UTC dns: freeipa.example.com principal name: HTTP/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180723075009': status: NEED_CSR stuck: no key pair storage: type=FILE,location='/root/OVPN_CLIENT_1.key' certificate: type=FILE,location='/root/OVPN_CLIENT_1.pem' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2020-07-23 07:50:10 UTC dns: freeipa.example.com principal name: host/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180723075356': status: CA_REJECTED ca-error: Server at https://freeipa.example.com/ipa/xml denied our request, giving up: 3009 (RPC failed at server. invalid 'csr': hostname in subject of request 'OVPN_CLIENT_1' does not match name or aliases of principal 'HTTP/freeipa.example.com@EXAMPLE.COM'). stuck: yes key pair storage: type=FILE,location='/root/OVPN_CLIENT_2.key' certificate: type=FILE,location='/root/OVPN_CLIENT_2.pem' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20180723075553': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=FILE,location='/root/OVPN_CLIENT_3.key' certificate: type=FILE,location='/root/OVPN_CLIENT_3.pem' CA: IPA issuer: subject: expires: unknown pre-save command: post-save command: track: yes auto-renew: yes Request ID '20200514145151': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=FILE,location='/home/user/vpn-user.key' certificate: type=FILE,location='/home/user/vpn-user.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-05-15 14:51:52 UTC dns: freeipa.example.com principal name: host/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20200514150206': status: CA_UNREACHABLE ca-error: Server at https://freeipa.example.com/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining: Peer's Certificate has expired.). stuck: no key pair storage: type=FILE,location='/home/user/freeipa.example.com.key' certificate: type=FILE,location='/home/user/freeipa.example.com.crt' CA: IPA issuer: CN=Certificate Authority,O=EXAMPLE.COM subject: CN=freeipa.example.com,O=EXAMPLE.COM expires: 2022-05-15 15:02:07 UTC dns: freeipa.example.com principal name: host/freeipa.example.com@EXAMPLE.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
I tried to update the certificates using the information from the following links:
https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certific... https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-... https://listman.redhat.com/archives/freeipa-users/2017-January/msg00216.html
but it was not possible to update expired certificates.
So some of the certificates were being renewed in early March, looks like as expected, but then something went sideways and the CA would no longer start and the others just failed.
I'd suggest:
ipactl stop make sure ntpd/chronyd is stopped set date to March 8 (all certs should be valid then) manually start the IPA services: dirsrv, krb5kdc, named if configured, httpd, pki-tomcatd
At this point most everything should be running.
You can either restart certmonger and let it notice the expiring certs and watch it to see that the certs are renewed.
Or manually run: getcert resubmit -i <id> -w -v to be able to more easily watch each one install. For the CA-related certs give it some time post renewal for the service to restart.
Then stop all the services again, return to today, ipactl start.
rob
Thank you for your answer,
I have a few questions: 1. Should I perform "kinit admin" before "ipactl stop" command? 2. How did you determine that it was March 8 that I need to set the date on the server? Several certificates updated on March 5 and 7. Maybe I need to set the date before March 5? 3. IPA configured with next services:
ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: STOPPED ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
Do I understand correctly to start the dirsrv service I need to run the "systemctl start dirsrv@EXAMPLE.COM" command? The entry EXAMPLE.COM specified in the "/etc/ipa/default.conf" parameter "realm = EXAMPLE.COM".
If I right then krb5kdc is krb5kdc.service, named didn't configured, httpd is httpd.service, pki-tomcatd is pki-tomcatd@pki-tomcat.service
john john via FreeIPA-users wrote:
Thank you for your answer,
I have a few questions:
- Should I perform "kinit admin" before "ipactl stop" command?
No, a ticket is not required.
- How did you determine that it was March 8 that I need to set the date on the server?
Several certificates updated on March 5 and 7.
IIRC some of the certificates were renewed in March and some weren't and expired in April. You want to be in the sweet spot of time so that all of the certificates are valid and not expired.
Maybe I need to set the date before March 5? 3. IPA configured with next services:
ipactl status
Directory Service: RUNNING krb5kdc Service: RUNNING kadmin Service: RUNNING httpd Service: STOPPED ipa-custodia Service: RUNNING ntpd Service: RUNNING pki-tomcatd Service: RUNNING ipa-otpd Service: RUNNING ipa: INFO: The ipactl command was successful
Do I understand correctly to start the dirsrv service I need to run the "systemctl start dirsrv@EXAMPLE.COM" command? The entry EXAMPLE.COM specified in the "/etc/ipa/default.conf" parameter "realm = EXAMPLE.COM".
Replaces dots with dashes in the realm. Or you can use dirsrv.target.
If I right then krb5kdc is krb5kdc.service, named didn't configured, httpd is httpd.service, pki-tomcatd is pki-tomcatd@pki-tomcat.service
Correct. Note that you don't need to include the .service part when using systemctl if you want to save some typing.
We have to do this manually rather than ipactl since it would start ntpd and bring time back to current.
rob
What I did:
1. ipactl stop 2. checkec that ntpd is stopped 3. set date to March 8 4. manually start the IPA services: dirsrv, krb5kdc, httpd, pki-tomcatd: systemctl start dirsrv@EXAMPLE-COM systemctl start krb5kdc systemctl start httpd systemctl start pki-tomcatd@pki-tomcat
pki-tomcatd does not start according by the "ipactl status" command: pki-tomcatd Service: STOPPED systemctl status pki-tomcatd@pki-tomcat shows that service is started but with next logs:
pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-03-08 05:51:09 UTC; 1 months 27 days ago Process: 11336 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS) Process: 11369 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) Main PID: 11493 (java) CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service └─11493 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start
Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: To enable the subsystem: Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Mar 08 05:51:46 freeipa.example.com server[11493]: SSLAuthenticatorWithFallback: Stopping authenticators Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://freeipa.example.com:389] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-7 ldaps://freeipa.example.com:389] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-9 ldaps://freeipa.example.com:389] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SSLAuthenticatorWithFallback: Setting container
In /var/log/pki/pki-tomcat/ca/selftests.log:
0.localhost-startStop-1 - [08/Mar/2022:05:49:24 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SystemCertsVerification: system certs verification failure: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u
Problem with "Certificate ocspSigningCert cert-pki-ca". How to fix it?
john john via FreeIPA-users wrote:
What I did:
- ipactl stop
- checkec that ntpd is stopped
- set date to March 8
- manually start the IPA services: dirsrv, krb5kdc, httpd, pki-tomcatd:
systemctl start dirsrv@EXAMPLE-COM systemctl start krb5kdc systemctl start httpd systemctl start pki-tomcatd@pki-tomcat
pki-tomcatd does not start according by the "ipactl status" command: pki-tomcatd Service: STOPPED systemctl status pki-tomcatd@pki-tomcat shows that service is started but with next logs:
pki-tomcatd@pki-tomcat.service - PKI Tomcat Server pki-tomcat Loaded: loaded (/usr/lib/systemd/system/pki-tomcatd@.service; enabled; vendor preset: disabled) Active: active (running) since Tue 2022-03-08 05:51:09 UTC; 1 months 27 days ago Process: 11336 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS) Process: 11369 ExecStartPre=/usr/bin/pkidaemon start %i (code=exited, status=0/SUCCESS) Main PID: 11493 (java) CGroup: /system.slice/system-pki\x2dtomcatd.slice/pki-tomcatd@pki-tomcat.service └─11493 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy-base -Djava.library.path=/usr/lib64/nuxwdog-jni -classpath /usr/share/tomcat/bin/bootstrap.jar:/usr/share/tomcat/bin/tomcat-juli.jar:/usr/share/java/commons-daemon.jar -Dcatalina.base=/var/lib/pki/pki-tomcat -Dcatalina.home=/usr/share/tomcat -Djava.endorsed.dirs= -Djava.io.tmpdir=/var/lib/pki/pki-tomcat/temp -Djava.util.logging.config.file=/var/lib/pki/pki-tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.security.manager -Djava.security.policy==/var/lib/pki/pki-tomcat/conf/catalina.policy org.apache.catalina.startup.Bootstrap start
Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: Check /var/log/pki/pki-tomcat/ca/selftests.log for possible errors. Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: To enable the subsystem: Mar 08 05:51:35 freeipa.example.com server[11493]: PKIListener: pki-server subsystem-enable -i pki-tomcat ca Mar 08 05:51:46 freeipa.example.com server[11493]: SSLAuthenticatorWithFallback: Stopping authenticators Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-3 ldaps://freeipa.example.com:389] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-7 ldaps://freeipa.example.com:389] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [authorityMonitor] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [LDAPConnThread-9 ldaps://freeipa.example.com:389] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SEVERE: The web application [/ca] appears to have started a thread named [profileChangeMonitor] but has failed to stop it. This is very likely to create a memory leak. Mar 08 05:51:46 freeipa.example.com server[11493]: SSLAuthenticatorWithFallback: Setting container
In /var/log/pki/pki-tomcat/ca/selftests.log:
0.localhost-startStop-1 - [08/Mar/2022:05:49:24 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED! 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: Initializing self test plugins: 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin instances 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: loading self test plugins in startup order 0.localhost-startStop-1 - [08/Mar/2022:05:51:24 UTC] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded! 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup: 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] CAPresence: CA is present 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SystemCertsVerification: system certs verification failure: Certificate ocspSigningCert cert-pki-ca is invalid: Invalid certificate: (-8181) Peer's Certificate has expired. 0.localhost-startStop-1 - [08/Mar/2022:05:51:26 UTC] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin called selftests.container.instance.SystemCertsVerification running at startup FAILED!
certutil -L -d /etc/pki/pki-tomcat/alias
Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u
Problem with "Certificate ocspSigningCert cert-pki-ca". How to fix it?
It means that the 8th won't work. As I mentioned, you need to find a date/time where all the certs are valid. Scanning the output by eye is difficult. I'd suggest:
getcert list -d /etc/pki/pki-tomcat/alias | egrep "certificate:|expires"
Use those expires to figure out when to back in time to.
IIRC the 389 and Apache certs weren't renewed so they should still be valid in early March.
rob
I appreciate all the help you provide.
getcert list -d /etc/pki/pki-tomcat/alias | egrep "certificate:|expires" certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2024-03-05 17:47:13 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2024-03-07 17:47:15 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2024-03-05 17:47:23 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2038-05-10 15:56:32 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2022-04-15 04:47:25 UTC
Only one certificate expired in April - 'Server-Cert cert-pki-ca' Why March 8 didn’t come, I don’t understand.
Hi,
On Thu, May 5, 2022 at 5:31 PM john john via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
I appreciate all the help you provide.
getcert list -d /etc/pki/pki-tomcat/alias | egrep "certificate:|expires" certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2024-03-05 17:47:13 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2024-03-07 17:47:15 UTC
ocspSigningCert cert-pki-ca will expire on 2024-03-07, which means it was renewed around 2022-03-17 (validity is 740 days = 2 years minus 10 days). If you pick March 8, 2022, then this cert is not valid yet and prevents the startup of PKI. Check the exact date it was issued and pick a date after that one. flo
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB' expires: 2024-03-05 17:47:23 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB' expires: 2038-05-10 15:56:32 UTC certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' expires: 2022-04-15 04:47:25 UTC
Only one certificate expired in April - 'Server-Cert cert-pki-ca' Why March 8 didn’t come, I don’t understand. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Thank you for explaining this to me, thank you for time spent on this.
I checked pki-tomcat and httpd certificates:
/etc/pki/pki-tomcat/alias
ocspSigningCert cert-pki-ca Validity: Not Before: Fri Mar 18 17:47:15 2022 Not After : Thu Mar 07 17:47:15 2024
auditSigningCert cert-pki-ca Validity: Not Before: Wed Mar 16 17:47:13 2022 Not After : Tue Mar 05 17:47:13 2024
caSigningCert cert-pki-ca Validity: Not Before: Thu May 10 15:56:32 2018 Not After : Mon May 10 15:56:32 2038
Server-Cert cert-pki-ca Validity: Not Before: Sat Apr 25 04:47:25 2020 Not After : Fri Apr 15 04:47:25 2022
subsystemCert cert-pki-ca Validity: Not Before: Wed Mar 16 17:47:23 2022 Not After : Tue Mar 05 17:47:23 2024
/etc/httpd/alias
ipaCert Validity: Not Before: Fri Apr 24 20:57:54 2020 Not After : Thu Apr 14 20:57:54 2022 Server-Cert Validity: Not Before: Sat Apr 25 06:11:51 2020 Not After : Tue Apr 26 06:11:51 2022
I set the date March 19 and the pki-tomcat service started correctly. But after restarting the certmonger service in the logs I see the following error:
certmonger: 2022-03-19 23:04:05 [30685] Server at https://freeipa.example.com/ipa/xml failed request, will retry: 4016 (RPC failed at server. Failed to authenticate to CA REST API).
Also have the following errors in /var/log/httpd/error_log.
[Sat Mar 19 23:03:50.199270 2022] [:error] [pid 30475] raise errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API')) [Sat Mar 19 23:03:50.199273 2022] [:error] [pid 30475] RemoteRetrieveError: Failed to authenticate to CA REST API
[Sat Mar 19 23:03:50.199404 2022] [:error] [pid 30475] ipa: INFO: [xmlserver] host/freeipa.example.com@EXAMPLE.COM: cert_request(u'MIID5jCCAs4CAQAwPzEYMBYGA1UEChMPSU5URVJOQUwuQ0IuQ09NMSMwIQYDVQQDExpwYi1mcmVlaXBhLmludGVybmFsLmNiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPPDCCAQoDggEBANN1r8MoQo+0e5ntNiKHjstexptSrbS0sB/00WVPTcQuV3jtzVPttqbTmX4T/X5AseJ8w2pZ9BcYYM5p/9neX8iSZ+NheI1P8YDamOzsJRLp/5NHCh/VldDoiK/Jp0ybjWBqJ3tHxgU3+LmP4KRr1d2AcaA8IojVKQXM91WVWQZUenSCDl+LCy2LKN6hx2Gq6VfSVfrftW1rhXzCQ0yFVMvICZajusVFuz7OrBw8m4rBY7l426ZUePQ5ZtPJKIWiMYqGwc7re/jXycqcGQwKySDgpJkEYX8h/fZu6RbprWHVBjIC1wTp+ighP69xsvgAxQuAiMvcglZ9JNBKOWJHttECAwEAAaCCAWAwJQYJKoZIhvcNAQkUMRgeFgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggE1BgkqhkiG9w0BCQ4xggEmMIIBIjCBuwYDVR0RAQEABIGwMIGtghpwYi1mcmVlaXBhLmludGVybmFsLmNiLmNvbaA/BgorBgEEAYI3FAIDoDEML2xkYXAvcGItZnJlZWlwYS5pbnRlcm5hbC5jYi5jb21ASU5URVJ1QUwuQ0IuQ09NoE4GBisGAQUCAqBEMEKgERsPS25URVJOQUwuQ0IuQ09NoS0wK6ADAgEBoSQwIhsEbGRhcBsacGItZnJlZWlwYS5pbnRlcm5hbC5jYi5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQA EFgQUDWBKnv6QUTkDu955+sVmva1yH68wMgYJKwYBBAGCNxQCAQEABCIeIABjAGEASQBQAEEAcwBlAHIAdgBpAGMAZQBDAGUAcgB6MA0GCSqGSIb3DQEBCwUAA4IBAQCC9aGeovEL6cMlj30oTBDOF6dbsoRq47wiGTk3hBgM/4RaUMCvV8Fn7k0ruT4p/0QDTaVEw2AIYSrenXMz/4fxRLuThtkUTrCcWa3/3WzAruzPD56JmcZUZFBW13JdYZv7bPLExocTTiabBGCYT9MKpys1PiyrMPf26Smv4ZJzxvDH96dtOUkWrxu6v7AWAoOcTeIO9SHL09Hi+1Ol3UShKsRrRpy9XpGjUIn16EzbwU1Rv7eYnyodGHYnfhntVh+FpWUjbXmvQVkUHtCiJOOXrdETdV7BtLJa5LOt72blENm4nFYjQn77HzGtIJQinOdxowBlq+nb3DhnxwZ+SMZ2', profile_id=u'caIPAserviceCert', principal=u'ldap/freeipa.example.com@EXAMPLE.COM', add=True, version=u'2.51'): RemoteRetrieveError
[Sat Mar 19 23:03:50.199480 2022] [:error] [pid 30475] ipa: DEBUG: response: RemoteRetrieveError: Failed to authenticate to CA REST API [Sat Mar 19 23:03:50.200001 2022] [:error] [pid 30475] ipa: DEBUG: Destroyed connection context.ldap2_139675403642384 [Sat Mar 19 23:04:05.740103 2022] [auth_gssapi:error] [pid 30937] [client IP_ADDRESS:PORT] NO AUTH DATA Client did not send any authentication headers, referer: https://freeipa.example.com/ipa/xml [Sat Mar 19 23:04:05.764944 2022] [:error] [pid 30474] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Sat Mar 19 23:04:05.765013 2022] [:error] [pid 30474] ipa: DEBUG: KerberosWSGIExecutioner.__call__: [Sat Mar 19 23:04:05.778436 2022] [:error] [pid 30474] ipa: DEBUG: Created connection context.ldap2_139675403642384 [Sat Mar 19 23:04:05.778528 2022] [:error] [pid 30474] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Sat Mar 19 23:04:05.779037 2022] [:error] [pid 30474] ipa: DEBUG: raw:
Please help how to fix this errors.
IPA version is 4.5.0 In this topic https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... explains that different versions of IPA have different RA certificate locations.
In my case I have both certificates one already expired in /etc/httpd/alias and one valid in /var/lib/ipa/ra-agent.{key|pem}. Which one is used to interact with ldap service? ldapsearch -D "cn=directory manager" -W -b o=ipaca -LLL -o ldif-wrap=no "(uid=ipara)" usercertificate description Usercertificate has a completely different certificate.
If I understand correctly I need to install the correct certificate in the ldap service through the ldapmodify command. But I don't understand which certificate to use.
Hi,
On Sun, May 8, 2022 at 1:31 AM john john via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
IPA version is 4.5.0 In this topic https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... explains that different versions of IPA have different RA certificate locations.
In my case I have both certificates one already expired in /etc/httpd/alias and one valid in /var/lib/ipa/ra-agent.{key|pem}. Which one is used to interact with ldap service? ldapsearch -D "cn=directory manager" -W -b o=ipaca -LLL -o ldif-wrap=no "(uid=ipara)" usercertificate description Usercertificate has a completely different certificate.
IPA 4.4 stores the RA cert in /etc/httpd/alias NSS database, and IPA 4.5
stores the RA cert in /var/lib/ipa/ra-agent.{pem|key}. In your case (4.5.0), the certificate in LDAP needs to be the same as the one from /var/lib/ipa/ra-agent.pem.
Hope this clarifies, flo
If I understand correctly I need to install the correct certificate in the ldap service through the ldapmodify command. But I don't understand which certificate to use. _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
Hi,
I did not have time to report here that I was already able to update the certificates. You are right, the certificate in LDAP must match the certificate from /var/lib/ipa/ra-agent.pem. I replaced the agent certificate in LDAP as described in this article: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcat...
I am very thankful for your help. Have a great day.
freeipa-users@lists.fedorahosted.org