Good morning Everyone, I made little progress this weekend. I'm currently in a state where all my service in the ipactl status command are running, but if I restart, the pki-tomcatd service show netscape.ldap.LDAPException: Authentication failed (48) in the debug ouput when executing ipactl -r restart --ignore-service-failure.
The new output of getcert list look like follow: > # getcert list > Number of certificates and requests being tracked: 8. > Request ID '20170113205242': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Audit,O=QC.LRTECH.CA > expires: 2024-03-01 19:02:05 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205243': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=OCSP Subsystem,O=QC.LRTECH.CA > expires: 2024-03-01 19:01:55 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205244': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://dc01.qc.lrtech.ca:8443/ca/agent/ca/profileReview: Peer certificate > cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=CA Subsystem,O=QC.LRTECH.CA > expires: 2022-03-03 20:49:21 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205245': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: E=ad...@lrtech.ca,CN=LR Tech inc. Root CA > 2022,OU=Intranet,O=LR Tech inc.,L=Levis,ST=Quebec,C=CA > subject: CN=Certificate Authority,O=QC.LRTECH.CA > expires: 2027-03-04 14:26:48 UTC > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205246': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=IPA RA,O=QC.LRTECH.CA > expires: 2024-03-01 19:02:15 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20170113205247': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-01 18:56:41 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20170113205302': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-QC-LRTECH-CA/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-QC-LRTECH-CA',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-03 06:00:39 UTC > principal name: ldap/freeipa.qc.lrtech...@qc.lrtech.ca > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > QC-LRTECH-CA > track: yes > auto-renew: yes > Request ID '20220304195651': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=QC.LRTECH.CA > subject: CN=freeipa.qc.lrtech.ca,O=QC.LRTECH.CA > expires: 2024-03-03 06:00:49 UTC > dns: freeipa.qc.lrtech.ca > principal name: HTTP/freeipa.qc.lrtech...@qc.lrtech.ca > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: > track: yes > auto-renew: yes There's something wrong with the Request ID '20170113205244'. I have Error 60 connecting to https://dc01.qc.lrtech.ca:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. I found this link on Rob's blog https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ but it didn't work for me or I forgot to update something. Also I might have messed up something when I tried to create my Root and FreeIPA certificates for the first time. I forgot to change the date and the newly created certificate valid time (2022-03-04) was after the expiration date of the old one (2022-03-03). To fix this issue I create a new Root and FreeIPA certificates (2022-03-01) and this might explain why some certificate where renew march 1, 3 and 4. Thank you for your help _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
