Hi! No I haven't since my guide line didn't tell me to.
I tried to set the date back, restart certmonger and then I did "ipactl restart" and then it got 2 certs renewed! One of the remaining two certificates was on "CA_UNREACHABLE" state, so I ran another certmonger restart and it did get updated. The last one didn't seem to go anywhere so I resubmitted the cert request and then that one also got renewed. I time jumped back to today and did another ipactl restart and All this mess got started with failed "ipa-server-upgrade" so I ran it afterwards and it completed successfully with no errors. That also increased the number of certmonger tracked certificates to 9 from 8 so I believe that one is fixed too. Thank you a lot! It's a bit complicated mess to understand every aspect of it (for example I was trying to hunt missing certificate that certmonger didn't track even though it wasn't the issue but the outcome of failed server upgrade) but after this I believe very that I understand it a way better! Eemeli -----Original Message----- From: Rob Crittenden [mailto:[email protected]] Sent: keskiviikko 27. kesäkuuta 2018 16.26 To: FreeIPA users list <[email protected]>; Florence Blanc-Renaud <[email protected]> Cc: Jokinen Eemeli <[email protected]> Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade doesn't complete, pki-tomcatd won't start Jokinen Eemeli via FreeIPA-users wrote: > Hi! > > -- > certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep > "Not Before" > Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d > /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before" > Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d > /etc/httpd/alias/ -n Server-Cert | grep "Not Before" > Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep > "expires" > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC > -- > > So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using > https://access.redhat.com/solutions/3357261 as a guideline. > > -- > systemctl stop ntpd > date 031603162018 > Fri Mar 16 03:16:00 EET 2018 > systemctl restart certmonger > certutil -d /var/lib/pki/pki-tomcat/alias/ -L > > Certificate Nickname Trust Attributes > > SSL,S/MIME,JAR/XPI > > auditSigningCert cert-pki-ca u,u,Pu > caSigningCert cert-pki-ca CTu,Cu,Cu > ocspSigningCert cert-pki-ca u,u,u > subsystemCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > getcert list | grep "expires" > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8 > "expires: 2018-03" | grep ID Request ID '20160331084233': > Request ID '20160331084234': > Request ID '20180611071929': > Request ID '20180615083528': > ipa-getcert resubmit -i 20160331084233 -v Resubmitting > "20160331084233" to "dogtag-ipa-ca-renew-agent". > ipa-getcert resubmit -i 20160331084234 -v Resubmitting > "20160331084234" to "dogtag-ipa-ca-renew-agent". > ipa-getcert resubmit -i 20180611071929 -v Resubmitting > "20180611071929" to "dogtag-ipa-ca-renew-agent". > ipa-getcert resubmit -i 20180615083528 -v Resubmitting > "20180615083528" to "dogtag-ipa-ca-renew-agent". > journalctl -n 20 -u certmonger > -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27 > 08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: > Stopping Certificate monitoring and PKI enrollment... > Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting > Certificate monitoring and PKI enrollment... > Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started > Certificate monitoring and PKI enrollment. > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: > GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi > ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 > fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 > Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: > GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi > ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: > Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: > dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: > Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: > dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: > Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: > dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: > Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:09 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: > dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: > Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:15 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: > dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: > Forwarding request to dogtag-ipa-renew-agent Mar 16 03:25:12 > fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: > dogtag-ipa-renew-agent returned 2 getcert list | grep "expires" > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET > 2018 > -- > > I waited for some time to be sure, no luck on my opinion: > > -- > date > Fri Mar 16 03:52:24 EET 2018 > getcert list |grep expires > expires: 2018-03-21 09:42:06 UTC > expires: 2018-03-21 09:42:04 UTC > expires: 2036-03-31 08:42:02 UTC > expires: 2020-02-11 09:58:22 UTC > expires: 2020-03-04 09:58:32 UTC > expires: 2020-03-04 09:58:23 UTC > expires: 2018-03-21 09:42:29 UTC > expires: 2018-03-21 09:42:05 UTC > -- > > Also did steps 6 & 8 on the guideline page, certificates match. However step > 7 fails to error 500. > > Still wondering if I'm missing some kind of cert from certmonger since the > site says that after 7.4 (ok, RHEL, not CentOS) you should have 9 > certificates on "getcert list", I only have 8. However if I try to do the > tracking requests again as suggested by RHEL, I get no new certificates for > my list. Hard to know without seeing the list of certs. Are you restarting dogtag, Apache and 389-ds when setting the date back? That is necessary as well. rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/H5RTIY3Z55R2KAHID522GCMKV5GL4IUI/
