On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start ipactl status pki-tomcatd Service: STOPPED
Ran 'getcert list' and found the 'pki-tomcat' cert was expired
Rolled back the system clock to before the cert expired, now starts up ipactl status pki-tomcatd Service: STARTED
Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows "status: CA_UNREACHABLE" 'ipa-cert fix' didnt work either
Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was giving out this error when it tried to renew 'csngen_adjust_local_time - Adjustment limit exceeded: value - 435060 limit - 86400'
Any way to change the adjustment limit or force this cert to renew anyway?
Hi,
can you provide more information on your deployment? Do you have a single IPA server that is providing the CA service or many servers? In the latter case, which one is the CA renewal master? Are there other expired certificates?
# kinit admin # ipa config-show # getcert list
flo
On Mon, Jun 19, 2023 at 7:25 PM T A via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
On FreeIPA version 4.6.8-5 realized that pki-tomcatd wouldnt start ipactl status pki-tomcatd Service: STOPPED
Ran 'getcert list' and found the 'pki-tomcat' cert was expired
Rolled back the system clock to before the cert expired, now starts up ipactl status pki-tomcatd Service: STARTED
Tried to renew with 'ipa-getcert resubmit -i "123456"' but it shows "status: CA_UNREACHABLE" 'ipa-cert fix' didnt work either
Checked logs again 'journalctl -t certmonger' and found 'ns-slapd' was giving out this error when it tried to renew 'csngen_adjust_local_time - Adjustment limit exceeded: value - 435060 limit - 86400'
Any way to change the adjustment limit or force this cert to renew anyway? _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahoste... Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
Florence thanks for the reply. There are 2 IPA servers, the one im trying to cert fix on is the CA renewal master, server1
I had to redact some details #ipa config-show Max username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: company.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=COMPANY.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: server1.company.com, server2.company.com IPA master capable of PKINIT: server1.company.com IPA CA servers: server1.company.com, server2.company.com IPA NTP servers: server1.company.com, server2.company.com IPA CA renewal master: server1.company.com IPA DNS servers: server1.company.com, server2.company.com
There are 3 expired certs, with the dogtag having expired first and then that probably causing the other two not to be renewed. If I roll back the clock to to before expiration, everything starts up fine I just cant get the dogtag cert to renew. "'csngen_adjust_local_time - Adjustment limit exceeded" whenever I try "'ipa-getcert resubmit -i "
Request ID '000012': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=COMPANY.COM subject: CN=server1.company.com,O=COMPANY.COM expires: <several weeks ago> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
Request ID '000013': status: NEED_CSR_GEN_PIN ca-error: Error setting up ccache for "host" service on client using default keytab: Preauthentication failed. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-COMPANY-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=COMPANY.COM subject: CN=server1.company.com,O=COMPANY.COM expires: <several weeks ago> principal name: ldap/server1.company.com@COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv COMPANY-COM track: yes auto-renew: yes
Request ID '000017': status: NEED_CSR_GEN_PIN ca-error: Error setting up ccache for "host" service on client using default keytab: Preauthentication failed. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=COMPANY.COM subject: CN=server1.company.com,O=COMPANY.COM expires: <several weeks ago> principal name: HTTP/server1.company.com@COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
T A via FreeIPA-users wrote:
Florence thanks for the reply. There are 2 IPA servers, the one im trying to cert fix on is the CA renewal master, server1
I had to redact some details #ipa config-show Max username length: 32 Home directory base: /home Default shell: /bin/bash Default users group: ipausers Default e-mail domain: company.com Search time limit: 2 Search size limit: 100 User search fields: uid,givenname,sn,telephonenumber,ou,title Group search fields: cn,description Enable migration mode: FALSE Certificate Subject base: O=COMPANY.COM Password Expiration Notification (days): 4 Password plugin features: AllowNThash SELinux user map order: guest_u:s0$xguest_u:s0$user_u:s0$staff_u:s0-s0:c0.c1023$unconfined_u:s0-s0:c0.c1023 Default SELinux user: unconfined_u:s0-s0:c0.c1023 Default PAC types: MS-PAC, nfs:NONE IPA masters: server1.company.com, server2.company.com IPA master capable of PKINIT: server1.company.com IPA CA servers: server1.company.com, server2.company.com IPA NTP servers: server1.company.com, server2.company.com IPA CA renewal master: server1.company.com IPA DNS servers: server1.company.com, server2.company.com
There are 3 expired certs, with the dogtag having expired first and then that probably causing the other two not to be renewed. If I roll back the clock to to before expiration, everything starts up fine I just cant get the dogtag cert to renew. "'csngen_adjust_local_time - Adjustment limit exceeded" whenever I try "'ipa-getcert resubmit -i "
That message is related but not the reason renewal is failing. It's 389-ds replication noticing how out-of-whack time is.
Request ID '000012': status: NEED_GUIDANCE stuck: yes key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB' CA: dogtag-ipa-ca-renew-agent issuer: CN=Certificate Authority,O=COMPANY.COM subject: CN=server1.company.com,O=COMPANY.COM expires: <several weeks ago> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca" track: yes auto-renew: yes
You'll need to look in the journal (or syslog) for more information. This is certmonger telling you that something failed and it has no idea why.
Request ID '000013': status: NEED_CSR_GEN_PIN ca-error: Error setting up ccache for "host" service on client using default keytab: Preauthentication failed. stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-COMPANY-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-COMPANY-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=COMPANY.COM subject: CN=server1.company.com,O=COMPANY.COM expires: <several weeks ago> principal name: ldap/server1.company.com@COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv COMPANY-COM track: yes auto-renew: yes
Request ID '000017': status: NEED_CSR_GEN_PIN ca-error: Error setting up ccache for "host" service on client using default keytab: Preauthentication failed. stuck: yes key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=COMPANY.COM subject: CN=server1.company.com,O=COMPANY.COM expires: <several weeks ago> principal name: HTTP/server1.company.com@COMPANY.COM key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/libexec/ipa/certmonger/restart_httpd track: yes auto-renew: yes
This points to something wrong with the host keytab. While back time with all the services are running (except the CA, of course):
1. kinit admin 2. klist -kt /etc/krb5.keytab 3. kvno host/server1.company.com
Both steps 2 and 3 will output a kvno (key version number). They should match. If they don't you'll need to generate a new one and this could pose an issue for the broken replication (because when time is "right" things may not sync up). We can tackle that if it comes to it.
rob
Rob, thank you, great insight, the kvno did not match tried to generate a new one but it fails
kinit admin ipa-getkeytab -s server1 -p host/server1@COMPANY.COM -k /etc/krb5.keytab Failed to parse result: Internal error while saving keys Looking in journalctl it shows that "Adjustment limit exceeded" error that resulted from travelling back in time with the system clock to before the certs expired, same as when resubmiting the certs, catch22?
also tried to just retrieve the existing one by adding the -r flag to above but: Failed to parse result: Insufficient access rights Journalctl "Not allowed to retrieve keytab on [host/server1@COMPANY.COM] as user [uid=admin" But I think thats normal for freeipa, I recall the documentation saying you are not able to retrieve by default
Could I have made a mistake? Is there a different way to fix the host keytab?
Still have not managed to get past this latest issue, ldap is still broken. Any one have any advice on how to proceed?
I'm still stuck at this point, would anyone happen to know how to get the KVNO issue resolved?
freeipa-users@lists.fedorahosted.org