On 07/11/2017 06:09 PM, Karl Forner via FreeIPA-users wrote:


Hello,

Today I realized that the https certificate for my freeipa web ui has
expired.
I tried to renew it using:
#ipa-cacert-manage renew
Renewing CA certificate, please wait


CA certificate successfully renewed
The ipa-cacert-manage command was successful

Hi,

the tool ipa-cacert-manage is used to renew IPA CA certificate, not the https certificate. It is a common mistake (IPA CA certificate is the certificate authority that has delivered the https and ldaps certificates). But now that you have renewed the CA certificate, you need to distribute this new cert on all the machines by calling (on each IPA client or server):
$ sudo kinit admin
$ sudo ipa-certupdate

The https and ldaps certificates should be automatically renewed by certmonger. There was probably an issue during the automatic cert renewal, you can find more information in the journal log and using certmonger's tool:
$ sudo getcert list

This will provide you with a list of certificates tracked by certmonger, along with their expiration date (in front of the tag "expires: "). Please check which certificates are expired, and the error message that can help troubleshoot.

You can find troubleshooting tips here [1] and there [2].
Flo

[1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
[2] https://access.redhat.com/solutions/643753

So it seemed to went well. I tried to restart ipa but it failed:
# ipactl start
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting ipa_memcached Service
Starting httpd Service
Job for httpd.service failed because the control process exited with
error code. See "systemctl status httpd.service" and "journalctl -xe"
for details.
Failed to start httpd Service
Shutting down


What went wrong ? I'm running in a freeipa-server docker on a linux
server...
It is quite a big deal since I can not run my master freeipa anymore
even from a backup !

Moreover, even after starting from a backup of the ipa data, the httpd
service still fails.
Could it be caused by the replica server ?

Thanks.

logs
===


# systemctl status httpd.service
* httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service)
  Drop-In: /usr/lib/systemd/system/httpd.service.d
           `-abc.conf
   Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57
CEST; 3min 52s ago
  Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited,
status=0/SUCCESS)
  Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
(code=exited, status=1/FAILURE)
  Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=0/SUCCESS)
 Main PID: 28717 (code=exited, status=1/FAILURE)

Jul 11 17:21:56 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
Starting The Apache HTTP Server...
Jul 11 17:21:56 ipa.quartzbio.com <http://ipa.quartzbio.com>
ipa-httpd-kdcproxy[28716]: ipa         : INFO     KDC proxy enabled
Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
Failed to start The Apache HTTP Server.
Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
httpd.service: Unit entered failed state.
Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
httpd.service: Failed with result 'exit-code'.
Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
Stopped The Apache HTTP Server.


and (excerpt from journalctl -xe)

-- The start-up result is done.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
polkitd[28301]: Unregistered Authentication Agent for
unix-process:28918:604682378 (system bus
name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale C) (disconnected from bus)
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
polkitd[28301]: Registered Authentication Agent for
unix-process:28932:604682393 (system bus na
me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit
systemd-hwdb
-update.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
dev-hugepages.mount: Cannot add dependency job, ignoring: Unit
dev-hugepages.mount
is masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
ldconfig.service: Cannot add dependency job, ignoring: Unit
ldconfig.service is mas
ked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
swap.target: Cannot add dependency job, ignoring: Unit swap.target is
masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit
sys-fs-fus
e-connections.mount is masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
local-fs.target: Cannot add dependency job, ignoring: Unit
local-fs.target is maske
d.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
systemd-update-done.service: Cannot add dependency job, ignoring: Unit
systemd-upda
te-done.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
slices.target: Cannot add dependency job, ignoring: Unit slices.target
is masked.

Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
dnf-makecache.timer: Cannot add dependency job, ignoring: Unit
dnf-makecache.timer
is masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
fedora-autorelabel-mark.service: Cannot add dependency job, ignoring:
Unit fedora-a
utorelabel-mark.service is masked.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket
is masked.

Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
Starting The Apache HTTP Server...
-- Subject: Unit httpd.service has begun start-up
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
<http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
--
-- Unit httpd.service has begun starting up.
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache:
not found
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies
(serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: sending notifies
(serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: zone quartzbio.com/IN <http://quartzbio.com/IN>:
sending notifies (serial 1499786955)
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: zone quartzbio.com/IN <http://quartzbio.com/IN>:
loaded serial 1499786955
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: 3 master zones from LDAP instance 'ipa' loaded (3
zones defined, 0 inactive, 0 f
ailed to load)
Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache:
not found
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
ns-slapd[28813]: GSSAPI client step 1
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
ns-slapd[28813]: GSSAPI client step 1
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
ipa-httpd-kdcproxy[28938]: ipa         : INFO     KDC proxy enabled
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
httpd.service: Main process exited, code=exited, status=1/FAILURE
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
Failed to start The Apache HTTP Server.
-- Subject: Unit httpd.service has failed
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
<http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
--
-- Unit httpd.service has failed.
--
-- The result is failed.
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
httpd.service: Unit entered failed state.
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
httpd.service: Failed with result 'exit-code'.
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
polkitd[28301]: Unregistered Authentication Agent for
unix-process:28932:604682393 (system bus
name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
locale C) (disconnected from bus)
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
polkitd[28301]: Registered Authentication Agent for
unix-process:28944:604682474 (system bus na
me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
/org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
Stopping Kerberos 5 KDC...
-- Subject: Unit krb5kdc.service has begun shutting down
-- Defined-By: systemd
-- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
<http://lists.freedesktop.org/mailman/listinfo/systemd-devel>



_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to