Fraser, some more info:

In /var/log/pki/pki-tomcat/localhost_access_log.2018-01-08.txt I've found: - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/login HTTP/1.1" 200 218 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/authorities/13b94be3-f918-42e3-abeb-a2210150f28d/cert HTTP/1.1" 500 6472 - ipara [08/Jan/2018:02:03:28 +0100] "GET /ca/rest/account/logout HTTP/1.1" 204 -

I think this is the http 500 reported by certmonger.

And in /var/log/pki/pki-tomcat/localhost.2018-01-08.log:

Jan 08, 2018 2:08:27 AM org.apache.catalina.core.StandardWrapperValve invoke
SEVERE: Servlet.service() for servlet [Resteasy] in context with path [/ca] threw exception org.jboss.resteasy.spi.UnhandledException: org.jboss.resteasy.core.NoMessageBodyWriterFoundFailure: Could not find MessageBodyWriter for response object of type: com.netscape.certsrv.base.PKIException$Data of media type: application/pkix-cert at org.jboss.resteasy.core.SynchronousDispatcher.writeException( at org.jboss.resteasy.core.SynchronousDispatcher.invoke( at org.jboss.resteasy.core.SynchronousDispatcher.invoke(

Il 09/01/2018 15:38, Giulio Casella via FreeIPA-users ha scritto:
Il 09/01/2018 14:42, Fraser Tweedale ha scritto:
Remove all the userAttribute values except the one that matches

Removed, only the matching one remains.

You also suggested earlier to update that entry in the IPA DIT under
`cn=ca_renewal,cn=ipa,cn=etc,{basedn}'.  If there is only one CA
master in the topology (the one you're working on) you can ignore
this.  Otherwise you should either update its userCertificate value
with the content of ra_agent.pem, OR you can simply delete the

Do this all while the clock is set back to when the certs are all
valid.  Then restart IPA; confirm that all the components start
properly, then attempt to renew the service certificates.

Done, ipactl status report everything running, but certificates don't renew.
Looking at certmonger (in debug mod) I can see:

"Server at https://idc01.linux.unicloudidattica.local/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500: Non-2xx response from CA REST API: 500. ). Server at https://idc02.linux.unicloudidattica.local/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining:  Failed connect to idc02.linux.unicloudidattica.local:443; Connection refused).
2018-01-08 01:03:31 [21961] Certificate not (yet?) issued.
2018-01-08 01:03:31 [21961] Request9('20171205091409') moved to state 'CA_UNREACHABLE'

even after a getcert resubmit -i 20171205091409

Have I to try to remove/re-add monitoring from certmonger for service certificates?

See how you go with that.  Hopefully it will be progress, at least.


FreeIPA-users mailing list --
To unsubscribe send an email to

Giulio Casella                                    giulio at
System and network architect
Computer Science Dept. - University of Milano
FreeIPA-users mailing list --
To unsubscribe send an email to

Reply via email to