I think the problem is that the web UI certificate is not tracked by
Certmonger.
I compared with my replica server which seems alright:
master server (with expired certificate):
# ipa-getcert list
Number of certificates and requests being tracked: 7.
Request ID '20150826135329':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/webserver.key'
certificate: type=FILE,location='/tmp/webserver.crt'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-08-26 13:53:32 UTC
principal name: HTTP/apache.quartzbio....@quartzbio.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
replica server (with valid certificate)
# ipa-getcert
list
Number of certificates and requests being tracked: 8.
Request ID '20151223161521':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-12-23 16:03:52 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
QUARTZBIO-COM
track: yes
auto-renew: yes
Request ID '20151223162016':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=ipasif2.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-12-23 16:03:59 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
There are two things that seem weird to me:
1. the only tracked certificate on my master seems wrong: non-existing
location: /tmp/webserver.key and wrong host name apache.quartzbio.com
2. the replica server tracks 2 certificates, and the second seems the
correct SSL certificate.
I tried tracking the certificate from /etc/httpd/alias on the server:
# ipa-getcert start-tracking -d /etc/httpd/alias -n Server-Cert -p
/etc/httpd/alias/pwdfile.txt
# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20150826135329':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/tmp/webserver.key'
certificate: type=FILE,location='/tmp/webserver.crt'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=apache.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-08-26 13:53:32 UTC
principal name: HTTP/apache.quartzbio....@quartzbio.com
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20170712124534':
status: MONITORING
ca-error: Unable to determine principal name for signing request.
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=QUARTZBIO.COM
subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM
expires: 2017-07-09 09:42:56 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
As you can see, it almost worked, except for the " ca-error: Unable to
determine principal name for signing request." message.
What does it mean ?
On Tue, Jul 11, 2017 at 6:23 PM, None via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:
> Hello,
>
> Today I realized that the https certificate for my freeipa web ui has
> expired.
> I tried to renew it using:
> #ipa-cacert-manage renew
> Renewing CA certificate, please wait
>
>
> CA certificate successfully renewed
> The ipa-cacert-manage command was successful
>
> So it seemed to went well. I tried to restart ipa but it failed:
> # ipactl start
> Starting Directory Service
> Starting krb5kdc Service
> Starting kadmin Service
> Starting named Service
> Starting ipa_memcached Service
> Starting httpd Service
> Job for httpd.service failed because the control process exited with error
> code. See "systemctl status httpd.service" and "journalctl -xe" for details.
> Failed to start httpd Service
> Shutting down
>
>
> What went wrong ? I'm running in a freeipa-server docker on a linux
> server...
> It is quite a big deal since I can not run my master freeipa anymore even
> from a backup !
>
> Thanks.
>
> logs
> ===
>
>
> # systemctl status httpd.service
> * httpd.service - The Apache HTTP Server
> Loaded: loaded (/usr/lib/systemd/system/httpd.service)
> Drop-In: /usr/lib/systemd/system/httpd.service.d
> `-abc.conf
> Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 CEST;
> 3min 52s ago
> Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited,
> status=0/SUCCESS)
> Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
> (code=exited, status=1/FAILURE)
> Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
> (code=exited, status=0/SUCCESS)
> Main PID: 28717 (code=exited, status=1/FAILURE)
>
> Jul 11 17:21:56 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP
> Server...
> Jul 11 17:21:56 ipa.quartzbio.com ipa-httpd-kdcproxy[28716]: ipa
> : INFO KDC proxy enabled
> Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Main process
> exited, code=exited, status=1/FAILURE
> Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Failed to start The Apache
> HTTP Server.
> Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered
> failed state.
> Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: httpd.service: Failed with
> result 'exit-code'.
> Jul 11 17:21:57 ipa.quartzbio.com systemd[1]: Stopped The Apache HTTP
> Server.
>
>
> and (excerpt from journalctl -xe)
>
> -- The start-up result is done.
> Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Unregistered
> Authentication Agent for unix-process:28918:604682378 (system bus
> name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
> locale C) (disconnected from bus)
> Jul 11 17:29:15 ipa.quartzbio.com polkitd[28301]: Registered
> Authentication Agent for unix-process:28932:604682393 (system bus na
> me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]:
> systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit
> systemd-hwdb
> -update.service is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dev-hugepages.mount: Cannot
> add dependency job, ignoring: Unit dev-hugepages.mount
> is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: ldconfig.service: Cannot
> add dependency job, ignoring: Unit ldconfig.service is mas
> ked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: swap.target: Cannot add
> dependency job, ignoring: Unit swap.target is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]:
> sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit
> sys-fs-fus
> e-connections.mount is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: local-fs.target: Cannot add
> dependency job, ignoring: Unit local-fs.target is maske
> d.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]:
> systemd-update-done.service: Cannot add dependency job, ignoring: Unit
> systemd-upda
> te-done.service is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: slices.target: Cannot add
> dependency job, ignoring: Unit slices.target is masked.
>
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: dnf-makecache.timer: Cannot
> add dependency job, ignoring: Unit dnf-makecache.timer
> is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: fedora-autorelabel-mark.service:
> Cannot add dependency job, ignoring: Unit fedora-a
> utorelabel-mark.service is masked.
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: rpcbind.socket: Cannot add
> dependency job, ignoring: Unit rpcbind.socket is masked.
>
> Jul 11 17:29:15 ipa.quartzbio.com systemd[1]: Starting The Apache HTTP
> Server...
> -- Subject: Unit httpd.service has begun start-up
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> --
> -- Unit httpd.service has begun starting up.
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable
> to get root NS rrset from cache: not found
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
> 70.9.10.in-addr.arpa/IN: sending notifies (serial 1499786955)
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
> 70.9.10.in-addr.arpa/IN: loaded serial 1499786955
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
> 0.17.172.in-addr.arpa/IN: sending notifies (serial 1499786955)
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
> 0.17.172.in-addr.arpa/IN: loaded serial 1499786955
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
> quartzbio.com/IN: sending notifies (serial 1499786955)
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: zone
> quartzbio.com/IN: loaded serial 1499786955
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: 3 master zones
> from LDAP instance 'ipa' loaded (3 zones defined, 0 inactive, 0 f
> ailed to load)
> Jul 11 17:29:15 ipa.quartzbio.com named-pkcs11[28910]: checkhints: unable
> to get root NS rrset from cache: not found
> Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1
> Jul 11 17:29:16 ipa.quartzbio.com ns-slapd[28813]: GSSAPI client step 1
> Jul 11 17:29:16 ipa.quartzbio.com ipa-httpd-kdcproxy[28938]: ipa
> : INFO KDC proxy enabled
> Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Main process
> exited, code=exited, status=1/FAILURE
> Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Failed to start The Apache
> HTTP Server.
> -- Subject: Unit httpd.service has failed
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
> --
> -- Unit httpd.service has failed.
> --
> -- The result is failed.
> Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Unit entered
> failed state.
> Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: httpd.service: Failed with
> result 'exit-code'.
> Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Unregistered
> Authentication Agent for unix-process:28932:604682393 (system bus
> name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
> locale C) (disconnected from bus)
> Jul 11 17:29:16 ipa.quartzbio.com polkitd[28301]: Registered
> Authentication Agent for unix-process:28944:604682474 (system bus na
> me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
> Jul 11 17:29:16 ipa.quartzbio.com systemd[1]: Stopping Kerberos 5 KDC...
> -- Subject: Unit krb5kdc.service has begun shutting down
> -- Defined-By: systemd
> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
