Hi! -- certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep "Not Before" Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before" Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before" Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep "expires" expires: 2018-03-21 09:42:06 UTC expires: 2018-03-21 09:42:04 UTC expires: 2036-03-31 08:42:02 UTC expires: 2020-02-11 09:58:22 UTC expires: 2020-03-04 09:58:32 UTC expires: 2020-03-04 09:58:23 UTC expires: 2018-03-21 09:42:29 UTC expires: 2018-03-21 09:42:05 UTC --
So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using https://access.redhat.com/solutions/3357261 as a guideline. -- systemctl stop ntpd date 031603162018 Fri Mar 16 03:16:00 EET 2018 systemctl restart certmonger certutil -d /var/lib/pki/pki-tomcat/alias/ -L Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI auditSigningCert cert-pki-ca u,u,Pu caSigningCert cert-pki-ca CTu,Cu,Cu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u Server-Cert cert-pki-ca u,u,u getcert list | grep "expires" expires: 2018-03-21 09:42:06 UTC expires: 2018-03-21 09:42:04 UTC expires: 2036-03-31 08:42:02 UTC expires: 2020-02-11 09:58:22 UTC expires: 2020-03-04 09:58:32 UTC expires: 2020-03-04 09:58:23 UTC expires: 2018-03-21 09:42:29 UTC expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8 "expires: 2018-03" | grep ID Request ID '20160331084233': Request ID '20160331084234': Request ID '20180611071929': Request ID '20180615083528': ipa-getcert resubmit -i 20160331084233 -v Resubmitting "20160331084233" to "dogtag-ipa-ca-renew-agent". ipa-getcert resubmit -i 20160331084234 -v Resubmitting "20160331084234" to "dogtag-ipa-ca-renew-agent". ipa-getcert resubmit -i 20180611071929 -v Resubmitting "20180611071929" to "dogtag-ipa-ca-renew-agent". ipa-getcert resubmit -i 20180615083528 -v Resubmitting "20180615083528" to "dogtag-ipa-ca-renew-agent". journalctl -n 20 -u certmonger -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27 08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Stopping Certificate monitoring and PKI enrollment... Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting Certificate monitoring and PKI enrollment... Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started Certificate monitoring and PKI enrollment. Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: Forwarding request to dogtag-ipa-renew-agent Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: dogtag-ipa-renew-agent returned 2 getcert list | grep "expires" expires: 2018-03-21 09:42:06 UTC expires: 2018-03-21 09:42:04 UTC expires: 2036-03-31 08:42:02 UTC expires: 2020-02-11 09:58:22 UTC expires: 2020-03-04 09:58:32 UTC expires: 2020-03-04 09:58:23 UTC expires: 2018-03-21 09:42:29 UTC expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET 2018 -- I waited for some time to be sure, no luck on my opinion: -- date Fri Mar 16 03:52:24 EET 2018 getcert list |grep expires expires: 2018-03-21 09:42:06 UTC expires: 2018-03-21 09:42:04 UTC expires: 2036-03-31 08:42:02 UTC expires: 2020-02-11 09:58:22 UTC expires: 2020-03-04 09:58:32 UTC expires: 2020-03-04 09:58:23 UTC expires: 2018-03-21 09:42:29 UTC expires: 2018-03-21 09:42:05 UTC -- Also did steps 6 & 8 on the guideline page, certificates match. However step 7 fails to error 500. Still wondering if I'm missing some kind of cert from certmonger since the site says that after 7.4 (ok, RHEL, not CentOS) you should have 9 certificates on "getcert list", I only have 8. However if I try to do the tracking requests again as suggested by RHEL, I get no new certificates for my list. Eemeli -----Original Message----- From: Florence Blanc-Renaud [mailto:f...@redhat.com] Sent: tiistai 26. kesäkuuta 2018 21.28 To: FreeIPA users list <freeipa-users@lists.fedorahosted.org> Cc: Jokinen Eemeli <eemeli.joki...@cinia.fi> Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start Hi, the journal shows that dogtag-ipa-renew-agent returned 2, it means "Rejected" (see [1] for the return codes). This probably happens because the cert for IPA RA is no longer valid (this cert is used to authenticate to Dogtag, and without proper authentication any renewal op is refused). The expired certificates all expire on 2018-03-21. On the other hand, ServerCert cert-pki-ca, slapd and httpd certificates were properly renewed. You need to find at which date they were renewed: # certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' | grep "Not Before") # certutil -L -d /etc/dirsrv/slapd-$DOMAIN -n Server-Cert | grep "Not Before" # certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before" You need then to find a common date where all the certificates are valid (ie before 2018-03-21 so that the expired certs are not expired yet, and after the 'Not Before' date so that the renewed certs are already valid). Then stop ntpd, change the date to this common date, restart certmonger and look in the journal if the renewal goes smoothly or if there are errors that could point you in the right direction. You can also find instructions on this blog post [2] to increase the log level for the renewal. HTH, Flo [1] https://pagure.io/certmonger/blob/master/f/doc/submit.txt#_46 [2] https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/X6XG7L2WYYIHHT72V2OCRVSKINVRCPMU/