Serge Krawczenko via FreeIPA-users wrote: > Thank you, Florence > > Things are getting worse... > > I'm on the following version and CentOS 7 and two replicas > > sh-4.2# ipa --version > VERSION: 4.6.8, API_VERSION: 2.237 > > ipa-cert-fix fails with The ipa-cert-fix command failed, exception: > RuntimeError: Failed to get Server-Cert > Indeed, it doesn't present in /etc/httpd/alias though still it presents > in /etc/pki/pki-tomcat/alias
How did you confirm this, using certutil? I assume the httpd process won't start? Is the key there: certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt Is there certmonger tracking for it? getcert list -d /etc/httpd/alias If there is then you can get a copy of the certificate from /var/lib/certmonger/requests and try re-installing it with certutil. Though later you say you can start everything with a date in the past so this is confusing. > I went through the suggested document and nothing seems to work. > > Manual renew via ipa-getcert resubmit also fails with different errors > such as > status: MONITORING > ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"; > replied: 1: Request 9980034 Not Found On which certificate? > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for realm ... This can happen if all of IPA is not running. certmonger uses the host keytab to authentication to the IPA API. rob > I have serious concerns if i can get the cluster back to life. > > I still manage to revert system time to the point before expiration and > have all the IPA services running. > However i'm just disoriented at the moment what to fix first, the fact > that certificates were not renewed isn't definitely > the root cause. > > Thanks a lot > > > On Tue, May 17, 2022 at 3:18 PM Florence Blanc-Renaud <[email protected] > <mailto:[email protected]>> wrote: > > Hi, > > On Mon, May 16, 2022 at 5:19 PM Serge Krawczenko via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > Greetings,all > > I've been observing multiple issues for some time, unable to > enroll new clients etc. > Finally found out that the possible root cause is the > expired Server-Cert cert-pki-ca and therefore pki-tomcat service > won't start > > Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/ > > Request ID '20171204131518': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=.... > subject: CN=.... > expires: 2022-04-25 17:06:51 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > > Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but > this one. > > which IPA version do you have? The tool ipa-cert-fix was introduced > with ipa 4.7.3+ and may help you solve certificate renewal issues. > But before you start anything, please make sure to identify which > server is your CA renewal master and follow the instructions from > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline > > flo > > I'd like to understand how to perform the forced update for this > one, i assume it must be renewed automatically though > > I tried to invoke post-save command manually but no luck. > Appreciate any ideas > > > _______________________________________________ > FreeIPA-users mailing list -- > [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: > https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
