Hello.

I contact you because I have a problem of expired certificates on my IPA
servers.

I'm still using IPA 3.0.0 for the moment.

# ipa-getcert list
Number of certificates and requests being tracked: 8.
Request ID '20160321140609':
        status: CA_UNREACHABLE
        ca-error: Server at https://<HOST>/ipa/xml failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',
nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/
slapd-<REALM>/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',
nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<REALM>
        subject: CN=<HOST>,O=<REALM>
        expires: 2018-03-22 14:06:09 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160321140642':
        status: CA_UNREACHABLE
        ca-error: Server at https://<HOST>/ipa/xml failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/
slapd-PKI-IPA/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',
nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<REALM>
        subject: CN=<HOST>,O=<REALM>
        expires: 2018-03-22 14:06:41 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes
Request ID '20160321140750':
        status: CA_UNREACHABLE
        ca-error: Server at https://<HOST>/ipa/xml failed request, will
retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Unable to communicate with CMS (Not Found)).
        stuck: no
        key pair storage: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: type=NSSDB,location='/etc/
httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=<REALM>
        subject: CN=<HOST>,O=<REALM>
        expires: 2018-03-22 14:07:50 UTC
        key usage: digitalSignature,nonRepudiation,keyEncipherment,
dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

Because of this, unfortunately, the commands ipa user-show etc.. does not
work anymore. I wonder if IPA itself work well or not when we have this
certificate problem ?

Anyway, I came back in time, to before the certificates expire :
###
service ntpd stop
date --set="2018-03-10 10:00:00"
###

And then I tried to renew these certificates with certmonger :
###
# ipa-getcert resubmit -i 20160321140609
Resubmitting "20160321140609" to "IPA".
# ipa-getcert resubmit -i 20160321140642
Resubmitting "20160321140642" to "IPA".
# ipa-getcert resubmit -i 20160321140750
Resubmitting "20160321140750" to "IPA".
###

But, it didn't change anything, the certificate are still expired :(.

I have the following error message in httpd log when I perform a resubmit.
###
[Sat Mar 10 11:29:18 2018] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate():
Unable to communicate with CMS (Not Found)
[Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>:
cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpMCcGA1UEAxMgZHZi
ZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiMA0GCSqGSIb3DQEB
AQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEcsELc94+XcCm8fZSnr749/
OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4DDQ7b46EQh39hX
RCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968IaebICzsHFyDedbM1
lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsLplC1Lkx22ka3I/
8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GHWwko2tlWZPCpg7
Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2L
ug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAH
IAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR
0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC
1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVj
KgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcB
sgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABB
YwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFBa5zjL
zw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8
IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+
wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+
CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2F
LUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw+
mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo',
principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError
###

The CA service is running :
###
# service ipa status
Directory Service: RUNNING
KDC Service: RUNNING
KPASSWD Service: RUNNING
MEMCACHE Service: RUNNING
HTTP Service: RUNNING
CA Service: RUNNING
###

My version of java is :
###
 java -version
java version "1.7.0_95"
###

certmonger is running :
###
 service certmonger status
certmonger (pid  3698) is running...
###

I wonder what I could do ? Thank you in advance for your help.

BR.

Lune
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org

Reply via email to