Jokinen Eemeli wrote: > Hi! > > No I haven't since my guide line didn't tell me to. > > I tried to set the date back, restart certmonger and then I did "ipactl > restart" and then it got 2 certs renewed! One of the remaining two > certificates was on "CA_UNREACHABLE" state, so I ran another certmonger > restart and it did get updated. The last one didn't seem to go anywhere so I > resubmitted the cert request and then that one also got renewed. I time > jumped back to today and did another ipactl restart and All this mess got > started with failed "ipa-server-upgrade" so I ran it afterwards and it > completed successfully with no errors. That also increased the number of > certmonger tracked certificates to 9 from 8 so I believe that one is fixed > too.
There are layers of dependencies on the certs so sometimes multiple rounds of renewal are needed to sort things out. This normally happens gracefully as expiration approaches but in some cases that we haven't been able to identify this doesn't happen. > > Thank you a lot! It's a bit complicated mess to understand every aspect of it > (for example I was trying to hunt missing certificate that certmonger didn't > track even though it wasn't the issue but the outcome of failed server > upgrade) but after this I believe very that I understand it a way better! Cool, glad you are back up and running. Note that the cert issues weren't caused by the upgrade, the upgrade just made it more apparent. In order to be sure the upgrade is complete you should run: # ipa-server-upgrade The upgrade will also check all of the certs tracked by certmonger and ensure they are set up correctly. rob > > > Eemeli > > -----Original Message----- > From: Rob Crittenden [mailto:[email protected]] > Sent: keskiviikko 27. kesäkuuta 2018 16.26 > To: FreeIPA users list <[email protected]>; Florence > Blanc-Renaud <[email protected]> > Cc: Jokinen Eemeli <[email protected]> > Subject: Re: [Freeipa-users] Re: Problems after IPA upgrade: > ipa-server-upgrade doesn't complete, pki-tomcatd won't start > > Jokinen Eemeli via FreeIPA-users wrote: >> Hi! >> >> -- >> certutil -L -d /etc/pki/pki-tomcat/alias -n 'Server-Cert cert-pki-ca' |grep >> "Not Before" >> Not Before: Wed Feb 21 09:58:22 2018 certutil -L -d >> /etc/dirsrv/slapd-<<REALM>> -n Server-Cert | grep "Not Before" >> Not Before: Sun Mar 04 09:58:32 2018 certutil -L -d >> /etc/httpd/alias/ -n Server-Cert | grep "Not Before" >> Not Before: Sun Mar 04 09:58:23 2018 getcert list | grep >> "expires" >> expires: 2018-03-21 09:42:06 UTC >> expires: 2018-03-21 09:42:04 UTC >> expires: 2036-03-31 08:42:02 UTC >> expires: 2020-02-11 09:58:22 UTC >> expires: 2020-03-04 09:58:32 UTC >> expires: 2020-03-04 09:58:23 UTC >> expires: 2018-03-21 09:42:29 UTC >> expires: 2018-03-21 09:42:05 UTC >> -- >> >> So after 4.3.2018 but before 21.3.2018... let's say 16.03.2018. Using >> https://access.redhat.com/solutions/3357261 as a guideline. >> >> -- >> systemctl stop ntpd >> date 031603162018 >> Fri Mar 16 03:16:00 EET 2018 >> systemctl restart certmonger >> certutil -d /var/lib/pki/pki-tomcat/alias/ -L >> >> Certificate Nickname Trust Attributes >> >> SSL,S/MIME,JAR/XPI >> >> auditSigningCert cert-pki-ca u,u,Pu >> caSigningCert cert-pki-ca CTu,Cu,Cu >> ocspSigningCert cert-pki-ca u,u,u >> subsystemCert cert-pki-ca u,u,u >> Server-Cert cert-pki-ca u,u,u >> getcert list | grep "expires" >> expires: 2018-03-21 09:42:06 UTC >> expires: 2018-03-21 09:42:04 UTC >> expires: 2036-03-31 08:42:02 UTC >> expires: 2020-02-11 09:58:22 UTC >> expires: 2020-03-04 09:58:32 UTC >> expires: 2020-03-04 09:58:23 UTC >> expires: 2018-03-21 09:42:29 UTC >> expires: 2018-03-21 09:42:05 UTC getcert list |grep -B 8 >> "expires: 2018-03" | grep ID Request ID '20160331084233': >> Request ID '20160331084234': >> Request ID '20180611071929': >> Request ID '20180615083528': >> ipa-getcert resubmit -i 20160331084233 -v Resubmitting >> "20160331084233" to "dogtag-ipa-ca-renew-agent". >> ipa-getcert resubmit -i 20160331084234 -v Resubmitting >> "20160331084234" to "dogtag-ipa-ca-renew-agent". >> ipa-getcert resubmit -i 20180611071929 -v Resubmitting >> "20180611071929" to "dogtag-ipa-ca-renew-agent". >> ipa-getcert resubmit -i 20180615083528 -v Resubmitting >> "20180615083528" to "dogtag-ipa-ca-renew-agent". >> journalctl -n 20 -u certmonger >> -- Logs begin at Tue 2018-06-26 15:18:57 EEST, end at Wed 2018-06-27 >> 08:04:17 EEST. -- Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: >> Stopping Certificate monitoring and PKI enrollment... >> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Starting >> Certificate monitoring and PKI enrollment... >> Mar 16 03:16:04 fi-krv1-ipa1.prod.lioncloud.fi systemd[1]: Started >> Certificate monitoring and PKI enrollment. >> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: >> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi >> ipa-submit[4956]: GSSAPI client step 1 Mar 16 03:16:16 >> fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: GSSAPI client step 1 >> Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi ipa-submit[4956]: >> GSSAPI client step 1 Mar 16 03:16:16 fi-krv1-ipa1.prod.lioncloud.fi >> ipa-submit[4956]: GSSAPI client step 2 Mar 16 03:18:38 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: >> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:18:38 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5103]: >> dogtag-ipa-renew-agent returned 2 Mar 16 03:19:51 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: >> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:19:51 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5228]: >> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:00 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: >> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:00 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5256]: >> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:09 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: >> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:09 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5296]: >> dogtag-ipa-renew-agent returned 2 Mar 16 03:20:15 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: >> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:20:15 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5322]: >> dogtag-ipa-renew-agent returned 2 Mar 16 03:25:12 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: >> Forwarding request to dogtag-ipa-renew-agent Mar 16 03:25:12 >> fi-krv1-ipa1.prod.lioncloud.fi dogtag-ipa-ca-renew-agent-submit[5676]: >> dogtag-ipa-renew-agent returned 2 getcert list | grep "expires" >> expires: 2018-03-21 09:42:06 UTC >> expires: 2018-03-21 09:42:04 UTC >> expires: 2036-03-31 08:42:02 UTC >> expires: 2020-02-11 09:58:22 UTC >> expires: 2020-03-04 09:58:32 UTC >> expires: 2020-03-04 09:58:23 UTC >> expires: 2018-03-21 09:42:29 UTC >> expires: 2018-03-21 09:42:05 UTC date Fri Mar 16 03:26:09 EET >> 2018 >> -- >> >> I waited for some time to be sure, no luck on my opinion: >> >> -- >> date >> Fri Mar 16 03:52:24 EET 2018 >> getcert list |grep expires >> expires: 2018-03-21 09:42:06 UTC >> expires: 2018-03-21 09:42:04 UTC >> expires: 2036-03-31 08:42:02 UTC >> expires: 2020-02-11 09:58:22 UTC >> expires: 2020-03-04 09:58:32 UTC >> expires: 2020-03-04 09:58:23 UTC >> expires: 2018-03-21 09:42:29 UTC >> expires: 2018-03-21 09:42:05 UTC >> -- >> >> Also did steps 6 & 8 on the guideline page, certificates match. However step >> 7 fails to error 500. >> >> Still wondering if I'm missing some kind of cert from certmonger since the >> site says that after 7.4 (ok, RHEL, not CentOS) you should have 9 >> certificates on "getcert list", I only have 8. However if I try to do the >> tracking requests again as suggested by RHEL, I get no new certificates for >> my list. > > Hard to know without seeing the list of certs. > > Are you restarting dogtag, Apache and 389-ds when setting the date back? > That is necessary as well. > > rob > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/[email protected]/message/K5FCUVT2JS3UKZB2736TBA65PQLX3S2A/
