On 06/27/2018 08:56 AM, Jokinen Eemeli via FreeIPA-users wrote:
Hi!
--
certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep "Not
Before"
Not Before: Wed Feb 21 09:58:22 2018
certutil -L -d /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before"
Not Before: Sun Mar 04 09:58:32 2018
certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
Not Before: Sun Mar 04 09:58:23 2018
getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
--
So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using
https://access.redhat.com/solutions/3357261 as a guideline.
--
systemctl stop ntpd
date 031603162018
Fri Mar 16 03:16:00 EET 2018
systemctl restart certmonger
certutil -d /var/lib/pki/pki-tomcat/alias/ -L
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
auditSigningCert cert-pki-ca u,u,Pu
caSigningCert cert-pki-ca CTu,Cu,Cu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
Server-Cert cert-pki-ca u,u,u
getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
getcert list |grep -B 8 "expires: 2018-03" | grep ID
Request ID '20160331084233':
Request ID '20160331084234':
Request ID '20180611071929':
Request ID '20180615083528':
ipa-getcert resubmit -i 20160331084233 -v
Resubmitting "20160331084233" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20160331084234 -v
Resubmitting "20160331084234" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20180611071929 -v
Resubmitting "20180611071929" to "dogtag-ipa-ca-renew-agent".
ipa-getcert resubmit -i 20180615083528 -v
Resubmitting "20180615083528" to "dogtag-ipa-ca-renew-agent".
journalctl -n 20 -u certmonger
-- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27 08:04:17
EEST. --
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Stopping Certificate
monitoring and PKI enrollment...
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting Certificate
monitoring and PKI enrollment...
Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started Certificate
monitoring and PKI enrollment.
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client
step 1
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client
step 1
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client
step 1
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client
step 1
Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client
step 2
Mar 16 03:18:38 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5103]: Forwarding request to
dogtag-ipa-renew-agent
Mar 16 03:18:38 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5103]: dogtag-ipa-renew-agent returned 2
Mar 16 03:19:51 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5228]: Forwarding request to
dogtag-ipa-renew-agent
Mar 16 03:19:51 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5228]: dogtag-ipa-renew-agent returned 2
Mar 16 03:20:00 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5256]: Forwarding request to
dogtag-ipa-renew-agent
Mar 16 03:20:00 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5256]: dogtag-ipa-renew-agent returned 2
Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5296]: Forwarding request to
dogtag-ipa-renew-agent
Mar 16 03:20:09 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5296]: dogtag-ipa-renew-agent returned 2
Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5322]: Forwarding request to
dogtag-ipa-renew-agent
Mar 16 03:20:15 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5322]: dogtag-ipa-renew-agent returned 2
Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5676]: Forwarding request to
dogtag-ipa-renew-agent
Mar 16 03:25:12 fi-krv1-ipa1.prod.lioncloud.fi
dogtag-ipa-ca-renew-agent-submit[5676]: dogtag-ipa-renew-agent returned 2
getcert list | grep "expires"
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
date
Fri Mar 16 03:26:09 EET 2018
--
I waited for some time to be sure, no luck on my opinion:
--
date
Fri Mar 16 03:52:24 EET 2018
getcert list |grep expires
expires: 2018-03-21 09:42:06 UTC
expires: 2018-03-21 09:42:04 UTC
expires: 2036-03-31 08:42:02 UTC
expires: 2020-02-11 09:58:22 UTC
expires: 2020-03-04 09:58:32 UTC
expires: 2020-03-04 09:58:23 UTC
expires: 2018-03-21 09:42:29 UTC
expires: 2018-03-21 09:42:05 UTC
--
Also did steps 6 & 8 on the guideline page, certificates match. However step 7
fails to error 500.
Error 500 is internal error. Can you check the content of Dogtag log?
/var/log/pki/pki-tomcat/localhost_access_log_$date.txt must show the
command getCertChain has been received:
10.37.171.235 - - [date] "GET /ca/ee/ca/getCertChain HTTP/1.1" 200 1534
and /var/log/pki/pki-tomcat/ca/debug may show more information. On a
working system:
[date][http-bio-8443-exec-13]: SignedAuditLogger: event
ACCESS_SESSION_ESTABLISH
[date][http-bio-8443-exec-13]: according to ccMode, authorization for
servlet: caGetCertChain is LDAP based, not XML {1}, use default authz
mgr: {2}.
[date][http-bio-8443-exec-13]: CMSServlet:service() uri =
/ca/ee/ca/getCertChain
[date][http-bio-8443-exec-13]: CMSServlet: caGetCertChain start to service.
[date][http-bio-8443-exec-13]: GetCertChain: certificate chain:
[date][http-bio-8443-exec-13]: GetCertChain: - CN=Certificate
Authority,O=DOMAIN.COM
[date][http-bio-8443-exec-13]: CMSServlet: curDate=Wed Jun 27 09:33:23
CEST 2018 id=caGetCertChain time=22
[date][http-bio-8443-exec-13]: SignedAuditLogger: event
ACCESS_SESSION_TERMINATED
Flo
Still wondering if I'm missing some kind of cert from certmonger since the site says that
after 7.4 (ok, RHEL, not CentOS) you should have 9 certificates on "getcert
list", I only have 8. However if I try to do the tracking requests again as
suggested by RHEL, I get no new certificates for my list.
Eemeli
-----Original Message-----
From: Florence Blanc-Renaud [mailto:f...@redhat.com]
Sent: tiistai 26. kesäkuuta 2018 21.28
To: FreeIPA users list <freeipa-users@lists.fedorahosted.org>
Cc: Jokinen Eemeli <eemeli.joki...@cinia.fi>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
Hi,
the journal shows that dogtag-ipa-renew-agent returned 2, it means "Rejected"
(see [1] for the return codes). This probably happens because the cert for IPA RA is no
longer valid (this cert is used to authenticate to Dogtag, and without proper
authentication any renewal op is refused).
The expired certificates all expire on 2018-03-21. On the other hand,
ServerCert cert-pki-ca, slapd and httpd certificates were properly renewed. You
need to find at which date they were renewed:
# certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca'
| grep "Not Before")
# certutil -L -d /etc/dirsrv/slapd-$DOMAIN -n Server-Cert | grep "Not Before"
# certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
You need then to find a common date where all the certificates are valid (ie
before 2018-03-21 so that the expired certs are not expired yet, and after the
'Not Before' date so that the renewed certs are already valid).
Then stop ntpd, change the date to this common date, restart certmonger and
look in the journal if the renewal goes smoothly or if there are errors that
could point you in the right direction.
You can also find instructions on this blog post [2] to increase the log level
for the renewal.
HTH,
Flo
[1] https://pagure.io/certmonger/blob/master/f/doc/submit.txt#_46
[2]
https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/X6XG7L2WYYIHHT72V2OCRVSKINVRCPMU/
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/freeipa-users@lists.fedorahosted.org/message/CAYWJQL5K7AMDOLV2NTWWH6CZWWG4YZZ/