On Tue, Aug 08, 2017 at 01:52:40PM +0200, Michael Gusek via FreeIPA-users wrote:
> Hello,
> 
> we run in a problem with expired certificates:
> 
> > getcert list (sample show only one expired certificate)
> ...
> Request ID '20170202144747':
>   status: MONITORING
>   stuck: no
>   key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>   certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=NBG.WEBTREKK.COM
>   subject: CN=IPA RA,O=NBG.WEBTREKK.COM
>   expires: 2017-07-30 13:37:02 UTC
>   key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>   eku: id-kp-serverAuth,id-kp-clientAuth
>   pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
>   post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
>   track: yes
>   auto-renew: yes
> 
> ...
> Request ID '20170202144746':
>   status: MONITORING
>   stuck: no
>   key pair storage:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin set
>   certificate:
> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>   CA: dogtag-ipa-ca-renew-agent
>   issuer: CN=Certificate Authority,O=NBG.WEBTREKK.COM
>   subject: CN=Certificate Authority,O=NBG.WEBTREKK.COM
>   expires: 2035-08-10 13:36:23 UTC
>   key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
>   pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
>   post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert
> "caSigningCert cert-pki-ca"
>   track: yes
>   auto-renew: yes
> ...
> 
> We follow instruction to renew certificates found on this mailing list:
> * set system time before expired
> * set dogtag to use simple binds instead of TLS to connect to LDAP
> * ipactl start --ignore-service-failures
> * systemctl restart pki-tomcatd@pki-tomcat
> * systemctl restart certmonger
> * resubmit one of expired certificate: ipa-getcert resubmit -i
> 20170202144747
> 
> Jul 29 13:27:05 ipa-prod-01.<domain>
> dogtag-ipa-ca-renew-agent-submit[10651]: Forwarding request to
> dogtag-ipa-renew-agent                                      
> Jul 29 13:27:05 ipa-prod-01.<domain>
> dogtag-ipa-renew-agent-submit[10661]: GET http://ipa-prod-01.<domain>:8080/
> ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true
>                                               
>  
> Jul 29 13:27:05 ipa-prod-01.<domain>
> dogtag-ipa-renew-agent-submit[10661]: <html><head><title>Apache
> Tomcat/7.0.69 -
> or report</title><style><!--H1
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;}
> H2 {fo
> nt-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;}
> H3 {font-family:Tahoma,Arial,sans-serif;
> color:white;background-color:#525D76;font-size:14px;} BODY
> {font-family:Tahoma,Arial,sans-serif;color:black;background-color:whi
> te;} B
> {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;}
> P {font-family:Tahoma,Arial,sans-serif;backgr│
> ound:white;color:black;font-size:12px;}A {color : black;}A.name {color :
> black;}HR {color : #525D76;}--></style> </head><body><h
> 1>HTTP Status 404 - /ca/ee/ca/profileSubmit</h1><HR size="1"
> noshade="noshade"><p><b>type</b> Status report</p><p><b>message</b>
>  <u>/ca/ee/ca/profileSubmit</u></p><p><b>description</b> <u>The
> requested resource is not available.</u></p><HR size="1" noshade
> ="noshade"><h3>Apache
> Tomcat/7.0.69</h3></body></html>                                              
>                           
>  
> Jul 29 13:27:05 ipa-prod-01.<domain>
> dogtag-ipa-ca-renew-agent-submit[10651]: dogtag-ipa-renew-agent returned 2  
> 
> 
> In certmonger logs, we can see that the request is forwarded to
> dogtag-ipa-renew-agent, but agent returned with return code 2, which
> seemed to be "request rejected". So at this point I have no glue to
> solve this problem. Any help is desired.
> 
> > ipa
> --version                                                                     
>                         
>  
> VERSION: 4.4.0, API_VERSION: 2.213  
> 
> Many thanks
> 
> Michael
> -- 
Hi Michael,

Could you please provide the log file
/var/log/pki/pki-tomcat/ca/debug from the time you wound back the
system time, to after the renewal failures?

Thanks,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to