Hi!
Checked access log for today date:
--
<<IP>> - - [27/Jun/2018:10:57:38 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:57:41 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:57:51 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:00 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:11 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:14 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:24 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=5&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:33 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=2&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>>- - [27/Jun/2018:10:58:44 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=4&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
<<IP>> - - [27/Jun/2018:10:58:47 +0300] "GET
/ca/ee/ca/profileSubmit?profileId=caServerCert&serial_num=7&renewal=true&xml=true&requestor_name=IPA
HTTP/1.1" 500 2208
--
No other kind of responses, only timestamps vary.
There's no access_log-file with date 2018-03-16 but there is a
Catalina.out-file with that date
--
Mar 16, 2018 3:16:06 AM org.apache.catalina.core.ContainerBase backgroundProcess
WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyRealm@4a53d31b
background process
javax.ws.rs.ServiceUnavailableException: Subsystem unavailable
at
com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(ProxyRealm.java:137)
at
org.apache.catalina.core.ContainerBase.backgroundProcess(ContainerBase.java:1356)
at
org.apache.catalina.core.StandardContext.backgroundProcess(StandardContext.java:5958)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1542)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.processChildren(ContainerBase.java:1552)
at
org.apache.catalina.core.ContainerBase$ContainerBackgroundProcessor.run(ContainerBase.java:1520)
at java.lang.Thread.run(Thread.java:748)
--
This seems to have gotten date of which I used on my "time travel". The error
matches 100% with Catalina.out with timestamp matching today.
Eemeli
-----Original Message-----
From: Florence Blanc-Renaud [mailto:[email protected]]
Sent: keskiviikko 27. kesäkuuta 2018 10.40
To: FreeIPA users list <[email protected]>
Cc: Jokinen Eemeli <[email protected]>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade
doesn't complete, pki-tomcatd won't start
On 06/27/2018 08:56 AM, Jokinen Eemeli via FreeIPA-users wrote:
> Hi!
>
> --
> certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep
> "Not Before"
> Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d
> /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before"
> Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d
> /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
> Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep
> "expires"
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC
> --
>
> So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using
> https://access.redhat.com/solutions/3357261 as a guideline.
>
> --
> systemctl stop ntpd
> date 031603162018
> Fri Mar 16 03:16:00 EET 2018
> systemctl restart certmonger
> certutil -d /var/lib/pki/pki-tomcat/alias/ -L
>
> Certificate Nickname Trust Attributes
>
> SSL,S/MIME,JAR/XPI
>
> auditSigningCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-ca CTu,Cu,Cu
> ocspSigningCert cert-pki-ca u,u,u
> subsystemCert cert-pki-ca u,u,u
> Server-Cert cert-pki-ca u,u,u
> getcert list | grep "expires"
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8
> "expires: 2018-03" | grep ID Request ID '20160331084233':
> Request ID '20160331084234':
> Request ID '20180611071929':
> Request ID '20180615083528':
> ipa-getcert resubmit -i 20160331084233 -v Resubmitting
> "20160331084233" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20160331084234 -v Resubmitting
> "20160331084234" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20180611071929 -v Resubmitting
> "20180611071929" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20180615083528 -v Resubmitting
> "20180615083528" to "dogtag-ipa-ca-renew-agent".
> journalctl -n 20 -u certmonger
> -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27
> 08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]:
> Stopping Certificate monitoring and PKI enrollment...
> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting
> Certificate monitoring and PKI enrollment...
> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started
> Certificate monitoring and PKI enrollment.
> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
> ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16
> fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1
> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]:
> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi
> ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:09
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:15
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]:
> dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]:
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:25:12
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]:
> dogtag-ipa-renew-agent returned 2 getcert list | grep "expires"
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET
> 2018
> --
>
> I waited for some time to be sure, no luck on my opinion:
>
> --
> date
> Fri Mar 16 03:52:24 EET 2018
> getcert list |grep expires
> expires: 2018-03-21 09:42:06 UTC
> expires: 2018-03-21 09:42:04 UTC
> expires: 2036-03-31 08:42:02 UTC
> expires: 2020-02-11 09:58:22 UTC
> expires: 2020-03-04 09:58:32 UTC
> expires: 2020-03-04 09:58:23 UTC
> expires: 2018-03-21 09:42:29 UTC
> expires: 2018-03-21 09:42:05 UTC
> --
>
> Also did steps 6 & 8 on the guideline page, certificates match. However step
> 7 fails to error 500.
>
Error 500 is internal error. Can you check the content of Dogtag log?
/var/log/pki/pki-tomcat/localhost_access_log_$date.txt must show the command
getCertChain has been received:
10.37.171.235 - - [date] "GET /ca/ee/ca/getCertChain HTTP/1.1" 200 1534
and /var/log/pki/pki-tomcat/ca/debug may show more information. On a working
system:
[date][http-bio-8443-exec-13]: SignedAuditLogger: event ACCESS_SESSION_ESTABLISH
[date][http-bio-8443-exec-13]: according to ccMode, authorization for
servlet: caGetCertChain is LDAP based, not XML {1}, use default authz
mgr: {2}.
[date][http-bio-8443-exec-13]: CMSServlet:service() uri = /ca/ee/ca/getCertChain
[date][http-bio-8443-exec-13]: CMSServlet: caGetCertChain start to service.
[date][http-bio-8443-exec-13]: GetCertChain: certificate chain:
[date][http-bio-8443-exec-13]: GetCertChain: - CN=Certificate
Authority,O=DOMAIN.COM
[date][http-bio-8443-exec-13]: CMSServlet: curDate=Wed Jun 27 09:33:23 CEST
2018 id=caGetCertChain time=22
[date][http-bio-8443-exec-13]: SignedAuditLogger: event
ACCESS_SESSION_TERMINATED
Flo
> Still wondering if I'm missing some kind of cert from certmonger since the
> site says that after 7.4 (ok, RHEL, not CentOS) you should have 9
> certificates on "getcert list", I only have 8. However if I try to do the
> tracking requests again as suggested by RHEL, I get no new certificates for
> my list.
>
>
> Eemeli
>
> -----Original Message-----
> From: Florence Blanc-Renaud [mailto:[email protected]]
> Sent: tiistai 26. kesäkuuta 2018 21.28
> To: FreeIPA users list <[email protected]>
> Cc: Jokinen Eemeli <[email protected]>
> Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade:
> ipa-server-upgrade doesn't complete, pki-tomcatd won't start
>
> Hi,
>
> the journal shows that dogtag-ipa-renew-agent returned 2, it means "Rejected"
> (see [1] for the return codes). This probably happens because the cert for
> IPA RA is no longer valid (this cert is used to authenticate to Dogtag, and
> without proper authentication any renewal op is refused).
>
> The expired certificates all expire on 2018-03-21. On the other hand,
> ServerCert cert-pki-ca, slapd and httpd certificates were properly renewed.
> You need to find at which date they were renewed:
> # certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca'
> | grep "Not Before")
> # certutil -L -d /etc/dirsrv/slapd-$DOMAIN -n Server-Cert | grep "Not Before"
> # certutil -L -d /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
>
> You need then to find a common date where all the certificates are valid (ie
> before 2018-03-21 so that the expired certs are not expired yet, and after
> the 'Not Before' date so that the renewed certs are already valid).
> Then stop ntpd, change the date to this common date, restart certmonger and
> look in the journal if the renewal goes smoothly or if there are errors that
> could point you in the right direction.
>
> You can also find instructions on this blog post [2] to increase the log
> level for the renewal.
>
> HTH,
> Flo
>
> [1] https://pagure.io/certmonger/blob/master/f/doc/submit.txt#_46
> [2]
> https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-i
> ssues-with-freeipa/
>
>
> _______________________________________________
> FreeIPA-users mailing list -- [email protected]
> To unsubscribe send an email to
> [email protected]
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines:
> https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/[email protected]
> rahosted.org/message/X6XG7L2WYYIHHT72V2OCRVSKINVRCPMU/
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedoraproject.org/archives/list/[email protected]/message/RVQE4WOJUZ7NJXUJRIZVARSR2RIMWECW/
