On 1/10/21 11:31 PM, Sinh Lam via FreeIPA-users wrote:
So I have this problem where the certificates have expired. I created a new one but
however when trying to apply the new certs using ipa-server-certinstall, http works but
when trying to get it to apply to ldap it fails with a "peer's certificate issuer is
not recognized".
looking at the logs it looks like the PKI-TOMCAT instances keeps failing, which
then following it, the CA is not running, and continuing to follow the trail
the certmonger service is failing to start as well with a variety of errors.
so my path now is a) keep trying to recover or b) do a reinstall.
Hi,
can you expand a little bit on your deployment? It looks like you have
freeIPA with an integrated CA but I can also see a let's encrypt
certificate in the getcert list output.
Is your IPA CA self-signed or was it issued by an external CA?
Are you using HTTP/LDAP server certificates issued by IPA CA or by an
external CA?
Do you have multiple servers with the CA instance (please provide the
output of "kinit admin; ipa server-role-find").
flo
if I choose option b, will any data (ldap or otherwise) be completely wiped?
I'm more interested in preserving the DNS and user/group data more than
anything.
running IPA 4.8.7-12 on CentOS 8.
getcert list output :
Request ID '20200412103127':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080335':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080336':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.xxxx.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
--
Request ID '20210102080337':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080338':
status: CA_UNREACHABLE
ca-error: Error 7 connecting to
http://ipa.xxxx.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server.
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
--
Request ID '20210102080339':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210102080340':
status: MONITORING
stuck: no
key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=XXXX.NET
--
Request ID '20210104092449':
status: CA_UNCONFIGURED
ca-error: Unable to determine principal name for signing request.
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-XXXX-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-XXXX-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-XXXX-NET',nickname='Server-Cert'
CA: IPA
--
Request ID '20210104093724':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/etc/letsencrypt/live/ipa.xxxx.net/privkey.pem'
certificate:
type=FILE,location='/etc/letsencrypt/live/ipa.xxxx.net/fullchain.pem'
CA: IPA
issuer: CN=R3,O=Let's Encrypt,C=US
(domain info edited out)
I can provide whatever log/output needed to help me get past this problem.
thanks.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
