Hello Florence,


> the tool ipa-cacert-manage is used to renew IPA CA certificate, not the
> https certificate. It is a common mistake (IPA CA certificate is the
> certificate authority that has delivered the https and ldaps certificates).


Yes



> But now that you have renewed the CA certificate, you need to distribute
> this new cert on all the machines by calling (on each IPA client or server):
> $ sudo kinit admin
> $ sudo ipa-certupdate
>

Actually I reverted the ipa-cacert-manage action by using a backup. So
obviously it did not fix my problem, but it was not the cause either.
The weird thing was tha the SSL certificate was not tracked.

I updated manually the certificate using certutil/ and could start tracking
it.
But the LDAP server certificate was also expired. [Fraser is currently
trying to help me with that. ]

My currrent situation is that I try to get the LDAP certificate to be
tracked by ipa-getcert so that it gets renewed, but it fails:

%ipa-getcert start-tracking -d /etc/dirsrv/slapd-QUARTZBIO-COM/  -n
Server-Cert -p /etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt  -K ldap/
ipa.quartzbio....@quartzbio.com -D ipa.quartzbio.com


Request ID '20170731130244':
    status: MONITORING
    ca-error: Unable to determine principal name for signing request.
    stuck: no
    key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt'
    certificate:
type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS
Certificate DB'
    CA: IPA
    issuer: CN=Certificate Authority,O=QUARTZBIO.COM
    subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM
    expires: 2017-07-09 09:42:28 UTC
    key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
    eku: id-kp-serverAuth,id-kp-clientAuth
    pre-save command:
    post-save command:
    track: yes
    auto-renew: yes

Thanks for your help.
Karl



>
> The https and ldaps certificates should be automatically renewed by
> certmonger. There was probably an issue during the automatic cert renewal,
> you can find more information in the journal log and using certmonger's
> tool:
> $ sudo getcert list
>
> This will provide you with a list of certificates tracked by certmonger,
> along with their expiration date (in front of the tag "expires: "). Please
> check which certificates are expired, and the error message that can help
> troubleshoot.
>
> You can find troubleshooting tips here [1] and there [2].
> Flo
>
> [1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-ce
> rtmonger-issues-with-freeipa/
> [2] https://access.redhat.com/solutions/643753
>
> So it seemed to went well. I tried to restart ipa but it failed:
>> # ipactl start
>> Starting Directory Service
>> Starting krb5kdc Service
>> Starting kadmin Service
>> Starting named Service
>> Starting ipa_memcached Service
>> Starting httpd Service
>> Job for httpd.service failed because the control process exited with
>> error code. See "systemctl status httpd.service" and "journalctl -xe"
>> for details.
>> Failed to start httpd Service
>> Shutting down
>>
>>
>> What went wrong ? I'm running in a freeipa-server docker on a linux
>> server...
>> It is quite a big deal since I can not run my master freeipa anymore
>> even from a backup !
>>
>> Moreover, even after starting from a backup of the ipa data, the httpd
>> service still fails.
>> Could it be caused by the replica server ?
>>
>> Thanks.
>>
>> logs
>> ===
>>
>>
>> # systemctl status httpd.service
>> * httpd.service - The Apache HTTP Server
>>    Loaded: loaded (/usr/lib/systemd/system/httpd.service)
>>   Drop-In: /usr/lib/systemd/system/httpd.service.d
>>            `-abc.conf
>>    Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57
>> CEST; 3min 52s ago
>>   Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited,
>> status=0/SUCCESS)
>>   Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND
>> (code=exited, status=1/FAILURE)
>>   Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
>> (code=exited, status=0/SUCCESS)
>>  Main PID: 28717 (code=exited, status=1/FAILURE)
>>
>> Jul 11 17:21:56 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> Starting The Apache HTTP Server...
>> Jul 11 17:21:56 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> ipa-httpd-kdcproxy[28716]: ipa         : INFO     KDC proxy enabled
>> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> httpd.service: Main process exited, code=exited, status=1/FAILURE
>> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> Failed to start The Apache HTTP Server.
>> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> httpd.service: Unit entered failed state.
>> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> httpd.service: Failed with result 'exit-code'.
>> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> Stopped The Apache HTTP Server.
>>
>>
>> and (excerpt from journalctl -xe)
>>
>> -- The start-up result is done.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> polkitd[28301]: Unregistered Authentication Agent for
>> unix-process:28918:604682378 (system bus
>> name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
>> locale C) (disconnected from bus)
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> polkitd[28301]: Registered Authentication Agent for
>> unix-process:28932:604682393 (system bus na
>> me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
>> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit
>> systemd-hwdb
>> -update.service is masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> dev-hugepages.mount: Cannot add dependency job, ignoring: Unit
>> dev-hugepages.mount
>> is masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> ldconfig.service: Cannot add dependency job, ignoring: Unit
>> ldconfig.service is mas
>> ked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> swap.target: Cannot add dependency job, ignoring: Unit swap.target is
>> masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit
>> sys-fs-fus
>> e-connections.mount is masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> local-fs.target: Cannot add dependency job, ignoring: Unit
>> local-fs.target is maske
>> d.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> systemd-update-done.service: Cannot add dependency job, ignoring: Unit
>> systemd-upda
>> te-done.service is masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> slices.target: Cannot add dependency job, ignoring: Unit slices.target
>> is masked.
>>
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> dnf-makecache.timer: Cannot add dependency job, ignoring: Unit
>> dnf-makecache.timer
>> is masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> fedora-autorelabel-mark.service: Cannot add dependency job, ignoring:
>> Unit fedora-a
>> utorelabel-mark.service is masked.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket
>> is masked.
>>
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> Starting The Apache HTTP Server...
>> -- Subject: Unit httpd.service has begun start-up
>> -- Defined-By: systemd
>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
>> --
>> -- Unit httpd.service has begun starting up.
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache:
>> not found
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies
>> (serial 1499786955)
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: loaded serial
>> 1499786955
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: sending notifies
>> (serial 1499786955)
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: loaded serial
>> 1499786955
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: zone quartzbio.com/IN <http://quartzbio.com/IN>:
>> sending notifies (serial 1499786955)
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: zone quartzbio.com/IN <http://quartzbio.com/IN>:
>> loaded serial 1499786955
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: 3 master zones from LDAP instance 'ipa' loaded (3
>> zones defined, 0 inactive, 0 f
>> ailed to load)
>> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache:
>> not found
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> ns-slapd[28813]: GSSAPI client step 1
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> ns-slapd[28813]: GSSAPI client step 1
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> ipa-httpd-kdcproxy[28938]: ipa         : INFO     KDC proxy enabled
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> httpd.service: Main process exited, code=exited, status=1/FAILURE
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> Failed to start The Apache HTTP Server.
>> -- Subject: Unit httpd.service has failed
>> -- Defined-By: systemd
>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
>> --
>> -- Unit httpd.service has failed.
>> --
>> -- The result is failed.
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> httpd.service: Unit entered failed state.
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> httpd.service: Failed with result 'exit-code'.
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> polkitd[28301]: Unregistered Authentication Agent for
>> unix-process:28932:604682393 (system bus
>> name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent,
>> locale C) (disconnected from bus)
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com>
>> polkitd[28301]: Registered Authentication Agent for
>> unix-process:28944:604682474 (system bus na
>> me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path
>> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C)
>> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]:
>> Stopping Kerberos 5 KDC...
>> -- Subject: Unit krb5kdc.service has begun shutting down
>> -- Defined-By: systemd
>> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel>
>>
>>
>>
>> _______________________________________________
>> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
>> To unsubscribe send an email to freeipa-users-le...@lists.fedo
>> rahosted.org
>>
>>
>
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to