I think the problem is that the web UI certificate is not tracked by Certmonger. I compared with my replica server which seems alright:
master server (with expired certificate): # ipa-getcert list Number of certificates and requests being tracked: 7. Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio....@quartzbio.com key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes replica server (with valid certificate) # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20151223161521': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM expires: 2017-12-23 16:03:52 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv QUARTZBIO-COM track: yes auto-renew: yes Request ID '20151223162016': status: MONITORING stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM expires: 2017-12-23 16:03:59 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes There are two things that seem weird to me: 1. the only tracked certificate on my master seems wrong: non-existing location: /tmp/webserver.key and wrong host name apache.quartzbio.com 2. the replica server tracks 2 certificates, and the second seems the correct SSL certificate. I tried tracking the certificate from /etc/httpd/alias on the server: # ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p /etc/httpd/alias/pwdfile.txt # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20150826135329': status: MONITORING stuck: no key pair storage: type=FILE,location='/tmp/webserver.key' certificate: type=FILE,location='/tmp/webserver.crt' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM expires: 2017-08-26 13:53:32 UTC principal name: HTTP/apache.quartzbio....@quartzbio.com key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20170712124534': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM expires: 2017-07-09 09:42:56 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes As you can see, it almost worked, except for the " ca-error: Unable to determine principal name for signing request." message. What does it mean ? On Tue, Jul 11, 2017 at 6:23 PM, None via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote: > Hello, > > Today I realized that the https certificate for my freeipa web ui has > expired. > I tried to renew it using: > #ipa-cacert-manage renew > Renewing CA certificate, please wait > > > CA certificate successfully renewed > The ipa-cacert-manage command was successful > > So it seemed to went well. I tried to restart ipa but it failed: > # ipactl start > Starting Directory Service > Starting krb5kdc Service > Starting kadmin Service > Starting named Service > Starting ipa_memcached Service > Starting httpd Service > Job for httpd.service failed because the control process exited with error > code. See "systemctl status httpd.service" and "journalctl -xe" for details. > Failed to start httpd Service > Shutting down > > > What went wrong ? I'm running in a freeipa-server docker on a linux > server... > It is quite a big deal since I can not run my master freeipa anymore even > from a backup ! > > Thanks. > > logs > === > > > # systemctl status httpd.service > * httpd.service - The Apache HTTP Server > Loaded: loaded (/usr/lib/systemd/system/httpd.service) > Drop-In: /usr/lib/systemd/system/httpd.service.d > `-abc.conf > Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST; > 3min 52s ago > Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, > status=0/SUCCESS) > Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND > (code=exited, status=1/FAILURE) > Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy > (code=exited, status=0/SUCCESS) > Main PID: 28717 (code=exited, status=1/FAILURE) > > Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP > Server... > Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa > : INFO KDC proxy enabled > Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process > exited, code=exited, status=1/FAILURE > Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache > HTTP Server. > Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered > failed state. > Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with > result 'exit-code'. > Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP > Server. > > > and (excerpt from journalctl -xe) > > -- The start-up result is done. > Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered > Authentication Agent for unix-process:28918:604682378 (system bus > name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, > locale C) (disconnected from bus) > Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered > Authentication Agent for unix-process:28932:604682393 (system bus na > me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: > systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit > systemd-hwdb > -update.service is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot > add dependency job, ignoring: Unit dev-hugepages.mount > is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot > add dependency job, ignoring: Unit ldconfig.service is mas > ked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add > dependency job, ignoring: Unit swap.target is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: > sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit > sys-fs-fus > e-connections.mount is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add > dependency job, ignoring: Unit local-fs.target is maske > d. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: > systemd-update-done.service: Cannot add dependency job, ignoring: Unit > systemd-upda > te-done.service is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add > dependency job, ignoring: Unit slices.target is masked. > > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot > add dependency job, ignoring: Unit dnf-makecache.timer > is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service: > Cannot add dependency job, ignoring: Unit fedora-a > utorelabel-mark.service is masked. > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add > dependency job, ignoring: Unit rpcbind.socket is masked. > > Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP > Server... > -- Subject: Unit httpd.service has begun start-up > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > -- > -- Unit httpd.service has begun starting up. > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable > to get root NS rrset from cache: not found > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone > 70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955) > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone > 70.9.10.in-addr.arpa/IN: loaded serial 1499786955 > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone > 0.17.172.in-addr.arpa/IN: sending notifies (serial 1499786955) > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone > 0.17.172.in-addr.arpa/IN: loaded serial 1499786955 > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone > quartzbio.com/IN: sending notifies (serial 1499786955) > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone > quartzbio.com/IN: loaded serial 1499786955 > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: 3 master zones > from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 f > ailed to load) > Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable > to get root NS rrset from cache: not found > Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1 > Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1 > Jul 11 17:29:16 ipa.quartzbio.com ipa-httpd-kdcproxy[28938]: ipa > : INFO KDC proxy enabled > Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Main process > exited, code=exited, status=1/FAILURE > Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Failed to start The Apache > HTTP Server. > -- Subject: Unit httpd.service has failed > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > > -- > -- Unit httpd.service has failed. > -- > -- The result is failed. > Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered > failed state. > Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Failed with > result 'exit-code'. > Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Unregistered > Authentication Agent for unix-process:28932:604682393 (system bus > name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, > locale C) (disconnected from bus) > Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Registered > Authentication Agent for unix-process:28944:604682474 (system bus na > me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path > /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) > Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Stopping Kerberos 5 KDC... > -- Subject: Unit krb5kdc.service has begun shutting down > -- Defined-By: systemd > -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org