Hi!

No I haven't since my guide line didn't tell me to.

I tried to set the date back, restart certmonger and then I did "ipactl 
restart" and then it got 2 certs renewed! One of the remaining two certificates 
was on "CA_UNREACHABLE" state, so I ran another certmonger restart and it did 
get updated. The last one didn't seem to go anywhere so I resubmitted the cert 
request and then that one also got renewed. I time jumped back to today and did 
another ipactl restart and All this mess got started with failed 
"ipa-server-upgrade" so I ran it afterwards and it completed successfully with 
no errors. That also increased the number of certmonger tracked certificates to 
9 from 8 so I believe that one is fixed too.

Thank you a lot! It's a bit complicated mess to understand every aspect of it 
(for example I was trying to hunt missing certificate that certmonger didn't 
track even though it wasn't the issue but the outcome of failed server upgrade) 
but after this I believe very that I understand it a way better!


Eemeli

-----Original Message-----
From: Rob Crittenden [mailto:[email protected]] 
Sent: keskiviikko 27. kesäkuuta 2018 16.26
To: FreeIPA users list <[email protected]>; Florence 
Blanc-Renaud <[email protected]>
Cc: Jokinen Eemeli <[email protected]>
Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: ipa-server-upgrade 
doesn't complete, pki-tomcatd won't start

Jokinen Eemeli via FreeIPA-users wrote:
> Hi!
> 
> --
> certutil -L -d /etc/pki/pki-tomcat/alias  -n 'Server-Cert cert-pki-ca' |grep 
> "Not Before"
>             Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d 
> /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before"
>             Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d 
> /etc/httpd/alias/ -n Server-Cert | grep "Not Before"
>             Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep 
> "expires"
>         expires: 2018-03-21 09:42:06 UTC
>         expires: 2018-03-21 09:42:04 UTC
>         expires: 2036-03-31 08:42:02 UTC
>         expires: 2020-02-11 09:58:22 UTC
>         expires: 2020-03-04 09:58:32 UTC
>         expires: 2020-03-04 09:58:23 UTC
>         expires: 2018-03-21 09:42:29 UTC
>         expires: 2018-03-21 09:42:05 UTC
> --
> 
> So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using 
> https://access.redhat.com/solutions/3357261 as a guideline.
> 
> --
> systemctl stop ntpd
> date 031603162018
> Fri Mar 16 03:16:00 EET 2018
> systemctl restart certmonger
> certutil -d /var/lib/pki/pki-tomcat/alias/ -L
> 
> Certificate Nickname                                         Trust Attributes
>                                                              
> SSL,S/MIME,JAR/XPI
> 
> auditSigningCert cert-pki-ca                                 u,u,Pu
> caSigningCert cert-pki-ca                                    CTu,Cu,Cu
> ocspSigningCert cert-pki-ca                                  u,u,u
> subsystemCert cert-pki-ca                                    u,u,u
> Server-Cert cert-pki-ca                                      u,u,u
> getcert list | grep "expires"
>         expires: 2018-03-21 09:42:06 UTC
>         expires: 2018-03-21 09:42:04 UTC
>         expires: 2036-03-31 08:42:02 UTC
>         expires: 2020-02-11 09:58:22 UTC
>         expires: 2020-03-04 09:58:32 UTC
>         expires: 2020-03-04 09:58:23 UTC
>         expires: 2018-03-21 09:42:29 UTC
>         expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8 
> "expires: 2018-03" | grep ID Request ID '20160331084233':
> Request ID '20160331084234':
> Request ID '20180611071929':
> Request ID '20180615083528':
> ipa-getcert resubmit -i 20160331084233 -v Resubmitting 
> "20160331084233" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20160331084234 -v Resubmitting 
> "20160331084234" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20180611071929 -v Resubmitting 
> "20180611071929" to "dogtag-ipa-ca-renew-agent".
> ipa-getcert resubmit -i 20180615083528 -v Resubmitting 
> "20180615083528" to "dogtag-ipa-ca-renew-agent".
> journalctl -n 20 -u certmonger
> -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27 
> 08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: 
> Stopping Certificate monitoring and PKI enrollment...
> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting 
> Certificate monitoring and PKI enrollment...
> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started 
> Certificate monitoring and PKI enrollment.
> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: 
> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi 
> ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 
> fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 
> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: 
> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi 
> ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: 
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: 
> dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: 
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: 
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: 
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: 
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: 
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:09 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: 
> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: 
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:15 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: 
> dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: 
> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:25:12 
> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: 
> dogtag-ipa-renew-agent returned 2 getcert list | grep "expires"
>         expires: 2018-03-21 09:42:06 UTC
>         expires: 2018-03-21 09:42:04 UTC
>         expires: 2036-03-31 08:42:02 UTC
>         expires: 2020-02-11 09:58:22 UTC
>         expires: 2020-03-04 09:58:32 UTC
>         expires: 2020-03-04 09:58:23 UTC
>         expires: 2018-03-21 09:42:29 UTC
>         expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET 
> 2018
> --
> 
> I waited for some time to be sure, no luck on my opinion:
> 
> --
> date
> Fri Mar 16 03:52:24 EET 2018
> getcert list |grep expires
>         expires: 2018-03-21 09:42:06 UTC
>         expires: 2018-03-21 09:42:04 UTC
>         expires: 2036-03-31 08:42:02 UTC
>         expires: 2020-02-11 09:58:22 UTC
>         expires: 2020-03-04 09:58:32 UTC
>         expires: 2020-03-04 09:58:23 UTC
>         expires: 2018-03-21 09:42:29 UTC
>         expires: 2018-03-21 09:42:05 UTC
> --
> 
> Also did steps 6 & 8 on the guideline page, certificates match. However step 
> 7 fails to error 500.
> 
> Still wondering if I'm missing some kind of cert from certmonger since the 
> site says that after 7.4 (ok, RHEL, not CentOS) you should have 9 
> certificates on "getcert list", I only have 8. However if I try to do the 
> tracking requests again as suggested by RHEL, I get no new certificates for 
> my list.

Hard to know without seeing the list of certs.

Are you restarting dogtag, Apache and 389-ds when setting the date back?
That is necessary as well.

rob
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/[email protected]/message/H5RTIY3Z55R2KAHID522GCMKV5GL4IUI/

Reply via email to