Fraser, some more info:
In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found:
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET
/ca/rest/account/login HTTP/1.1" 200 218
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET
/ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1"
500 6472
172.21.251.8 - ipara [08/Jan/2018:02:03:28 +0100] "GET
/ca/rest/account/logout HTTP/1.1" 204 -
I think this is the http 500 reported by certmonger.
And in /var/log/pki/pki-tomcat/localhost.2018-01-08.log:
Jan 08, 2018 2:08:27 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Resteasy] in context with path
[/ca] threw exception
org.jboss.resteasy.spi.UnhandledException:
org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find
MessageBodyWriter for response object of type:
com.netscape.certsrv.base.PKIException$Data of media type:
application/pkix-cert
at
org.jboss.resteasy.core.SynchronousDispatcher.writeException(SynchronousDispatcher.java:157)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:372)
at
org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179)
[...snip...]
Il 09/01/2018 15:38, Giulio Casella via FreeIPA-users ha scritto:
Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches
ra-agent.pem.
Removed, only the matching one remains.
You also suggested earlier to update that entry in the IPA DIT under
`cn=ca_renewal,cn=ipa,cn=etc,{basedn}'. If there is only one CA
master in the topology (the one you're working on) you can ignore
this. Otherwise you should either update its userCertificate value
with the content of ra_agent.pem, OR you can simply delete the
entry.
Do this all while the clock is set back to when the certs are all
valid. Then restart IPA; confirm that all the components start
properly, then attempt to renew the service certificates.
Done, ipactl status report everything running, but certificates don't
renew.
Looking at certmonger (in debug mod) I can see:
"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed with
status 500: Non-2xx response from CA REST API: 500. ).
Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed
request, will retry: -504 (libcurl failed to execute the HTTP POST
transaction, explaining: Failed connect to
idc02.linux.unicloudidattica.local:443; Connection refused).
"
2018-01-08 01:03:31 [21961] Certificate not (yet?) issued.
2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state
'CA_UNREACHABLE'
even after a getcert resubmit -i 20171205091409
Have I to try to remove/re-add monitoring from certmonger for service
certificates?
See how you go with that. Hopefully it will be progress, at least.
Cheers,
Fraser
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to
freeipa-users-le...@lists.fedorahosted.org
--
Giulio Casella giulio at di.unimi.it
System and network architect
Computer Science Dept. - University of Milano
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
