Hello.
I contact you because I have a problem of expired certificates on my IPA servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ?
Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ###
And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a resubmit. ### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpMCcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEcsELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsLplC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GHWwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo', principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ###
The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ###
I wonder what I could do ? Thank you in advance for your help.
BR.
Lune
Hello.
I contact you because I have a problem of expired certificates on my IPA servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>', nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/ slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>', nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA', nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/ slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA', nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/ httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/ httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ?
Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ###
And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a resubmit. ### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpMCcGA1UEAxMgZHZi ZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiMA0GCSqGSIb3DQEB AQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEcsELc94+XcCm8fZSnr749/ OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4DDQ7b46EQh39hX RCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968IaebICzsHFyDedbM1 lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsLplC1Lkx22ka3I/ 8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GHWwko2tlWZPCpg7 Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2L ug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAH IAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR 0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC 1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVj KgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcB sgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABB YwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFBa5zjL zw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8 IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+ wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+ CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2F LUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw+ mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo', principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ###
The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ###
My version of java is : ### java -version java version "1.7.0_95" ###
certmonger is running : ### service certmonger status certmonger (pid 3698) is running... ###
I wonder what I could do ? Thank you in advance for your help.
BR.
Lune
lune voo via FreeIPA-users wrote:
Hello.
I contact you because I have a problem of expired certificates on my IPA servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ?
Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ###
And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a resubmit. ### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpMCcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEcsELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsLplC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GHWwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo', principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ###
The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ###
I wonder what I could do ? Thank you in advance for your help.
After going back in time restart the pki-cad service then restart certmonger.
rob
hello Rob.
I restarted the pki-cad service ### # service pki-cad restart Stopping pki-ca: waiting for processes 56678 to exit killing 56678 which did not stop after 30 seconds [WARNING] [ OK ] Starting pki-ca: [ OK ]
###
Then I restarted certmonger : ### service certmonger restart Stopping certmonger: [ OK ] Starting certmonger: [ OK ] ###
Then I tried tu resubmit the three certificates : ### ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA".
ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA".
ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But when I do an ipa-getcert list, I still have the same expiration date : ### ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes ###
Best regards.
Lune
2018-04-11 19:50 GMT+02:00 Rob Crittenden rcritten@redhat.com:
lune voo via FreeIPA-users wrote:
Hello.
I contact you because I have a problem of expired certificates on my IPA servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',
nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',
nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
nickname='Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ?
Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ###
And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a
resubmit.
### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UECh
MHQkRGREVWMjEpMCcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbG Vjb20uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDF wenvnTLYPx29WEcsELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+ uwtl3l3SJ1XIrUL4DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+ 0ERr2zUMzV968IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGf oePfh7inj5VsLplC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYe UXDwayqLQP6Wu0GHWwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/ 4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+h6aBNa18oZAgMBAAGgggE+ MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBEwYJ KoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABAQDAgTwMIGbBgNVHREBAQAE gZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2R2YmRma2IyMS5yb3Vlbi5m cmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKwYBBQICoEIwQKAJGwdCREZE RVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZGZrYjIxLnJvdWVuLmZyYW5j ZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/ wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEB CwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++ n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+ uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgia NIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbm vuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+ wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ###
The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ###
I wonder what I could do ? Thank you in advance for your help.
After going back in time restart the pki-cad service then restart certmonger.
rob
As a note, I can see this in the debug file in var/log/pki-ca/debug ###
[main]: SigningUnit init: debug java.security.cert.CertificateParsingException: java.io.IOException: java.lang.NoClassDefFoundError: sun/io/CharToByteConverter
###
BR.
Lune
2018-04-11 20:17 GMT+02:00 lune voo lune.voo1234@gmail.com:
hello Rob.
I restarted the pki-cad service ### # service pki-cad restart Stopping pki-ca: waiting for processes 56678 to exit killing 56678 which did not stop after 30 seconds [WARNING] [ OK ] Starting pki-ca: [ OK ]
###
Then I restarted certmonger : ### service certmonger restart Stopping certmonger: [ OK ] Starting certmonger: [ OK ] ###
Then I tried tu resubmit the three certificates : ### ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA".
ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA".
ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But when I do an ipa-getcert list, I still have the same expiration date : ###
ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>', nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/ slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>', nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA', nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/ slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA', nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/ httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/ httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment, dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes ###
Best regards.
Lune
2018-04-11 19:50 GMT+02:00 Rob Crittenden rcritten@redhat.com:
lune voo via FreeIPA-users wrote:
Hello.
I contact you because I have a problem of expired certificates on my IPA servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='
Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='
Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='
Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='
Server-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ?
Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ###
And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a
resubmit.
### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpM
CcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiM A0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEc sELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4 DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968 IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsL plC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GH Wwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+ h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAH IALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABA QDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2 R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKw YBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZG ZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKw YBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFB a5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOa AL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+w TvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgL X9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje 93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw +mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB 9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ###
The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ###
I wonder what I could do ? Thank you in advance for your help.
After going back in time restart the pki-cad service then restart certmonger.
rob
Hello everyone.
I tried an alternatives -config java et saw that there was a JAVA8 installed on the master.
I stopped ipa service and I uninstalled JAVA8 from this node. Then I restarted IPA service and retried to renew the certificate with the same command I already used.
And it worked :)
So then I stopped IPA, turned back the time to normal and restarted IPA.
Do you know if IPA4 on RHEL7 is compatible with JAVA8 Rob ?
Thanks for the help.
BR.
Lune
2018-04-11 20:25 GMT+02:00 lune voo lune.voo1234@gmail.com:
As a note, I can see this in the debug file in var/log/pki-ca/debug ###
[main]: SigningUnit init: debug java.security.cert.CertificateParsingException: java.io.IOException: java.lang.NoClassDefFoundError: sun/io/CharToByteConverter
###
BR.
Lune
2018-04-11 20:17 GMT+02:00 lune voo lune.voo1234@gmail.com:
hello Rob.
I restarted the pki-cad service ### # service pki-cad restart Stopping pki-ca: waiting for processes 56678 to exit killing 56678 which did not stop after 30 seconds [WARNING] [ OK ] Starting pki-ca: [ OK ]
###
Then I restarted certmonger : ### service certmonger restart Stopping certmonger: [ OK ] Starting certmonger: [ OK ] ###
Then I tried tu resubmit the three certificates : ### ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA".
ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA".
ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But when I do an ipa-getcert list, I still have the same expiration date : ###
ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirs rv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirs rv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiatio n,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirs rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirs rv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiatio n,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/http d/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/http d/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiatio n,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes ###
Best regards.
Lune
2018-04-11 19:50 GMT+02:00 Rob Crittenden rcritten@redhat.com:
lune voo via FreeIPA-users wrote:
Hello.
I contact you because I have a problem of expired certificates on my
IPA
servers.
I'm still using IPA 3.0.0 for the moment.
# ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request,
will
retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Se
rver-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Se
rver-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request,
will
retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Se
rver-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Se
rver-Cert',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request,
will
retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert
',token='NSS
Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes
Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ?
Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ###
And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ###
But, it didn't change anything, the certificate are still expired :(.
I have the following error message in httpd log when I perform a
resubmit.
### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpM
CcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiM A0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEc sELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4 DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968 IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsL plC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GH Wwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWE dEWZ2Lug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlA HIAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDV R0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvD C1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFV jKgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhc BsgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEAB BYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/ wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGS Ib3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl+ +n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuX Y+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo 7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhs kaPkbmvuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghg w6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ###
The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ###
I wonder what I could do ? Thank you in advance for your help.
After going back in time restart the pki-cad service then restart certmonger.
rob
freeipa-users@lists.fedorahosted.org
-
lune voo -
Rob Crittenden