The certificate renewed via ipa-cert-fix was
Server-Cert cert-pki-ca
related to my domain
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=my domain"
Validity:
Not Before: Fri May 20 13:45:09 2022
Not After : Sat Aug 20 13:45:09 2022
Subject: "CN=my domain,O=my domain"
The others which must be also renewed but fail are:
ocspSigningCert cert-pki-ca
subsystemCert cert-pki-ca
This is what i can see via certutil -L -d /etc/pki/pki-tomcat/alias
Is it possible to disable ocsp temporary somehow or renew manually ? :(
On Mon, May 23, 2022 at 8:01 PM Rob Crittenden <[email protected]> wrote:
> Serge Krawczenko via FreeIPA-users wrote:
> > Hello again
> > I was so hoping the story to end but nope.
> >
> > ipa-cert-fix managed to renew one of the certs
> > but failed on the following ones
> >
> >
> > Enter "yes" to proceed: yes
> > Proceeding.
> > ipapython.ipautil: DEBUG: Starting external process
> > ipapython.ipautil: DEBUG: args=pki-server cert-fix --ldapi-socket
> > /var/run/slapd-...socket --agent-uid ipara --cert subsystem --cert
> > ca_ocsp_signing --extra-cert 268304408 --extra-cert 268304410
> > ipapython.ipautil: DEBUG: Process finished, return code=1
> > ipapython.ipautil: DEBUG: stdout=ERROR: [SSL:
> > SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618)
> >
> > ipapython.ipautil: DEBUG: stderr=INFO: Loading password config:
> > /etc/pki/pki-tomcat/password.conf
> > INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing']
> > INFO: Renewing the following additional certs: ['268304408', '268304410']
> > SASL/EXTERNAL authentication started
> > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > SASL SSF: 0
> > INFO: Stopping the instance to proceed with system cert renewal
> > INFO: Configuring LDAP password authentication
> > INFO: Setting pkidbuser password via ldappasswd
> > SASL/EXTERNAL authentication started
> > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > SASL SSF: 0
> > INFO: Selftests disabled for subsystems: ca
> > INFO: Resetting password for uid=ipara,ou=people,o=ipaca
> > SASL/EXTERNAL authentication started
> > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
> > SASL SSF: 0
> > INFO: Starting the instance
> > INFO: Sleeping for 10 seconds to allow server time to start...
> > INFO: Requesting new cert for subsystem
> > INFO: Getting subsystem cert info for ca
> > INFO: Trying to setup a secure connection to CA subsystem.
> > INFO: Starting new HTTPS connection (1): myhost.com <http://myhost.com>
> > INFO: Stopping the instance
> > INFO: Selftests enabled for subsystems: ca
> > INFO: Restoring previous LDAP configuration
> >
> > ipapython.admintool: DEBUG: File
> > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
> > execute
> > return_value = self.run()
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
> > line 128, in run
> > replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
> > File
> > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py",
> > line 251, in replicate_dogtag_certs
> > cert = x509.load_certificate_from_file(cert_path)
> > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 425, in
> > load_certificate_from_file
> > with open(filename, mode='rb') as f:
> >
> > ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
> > IOError: [Errno 2] No such file or directory:
> > '/etc/pki/pki-tomcat/certs/subsystem.crt'
> > ipapython.admintool: ERROR: [Errno 2] No such file or directory:
> > '/etc/pki/pki-tomcat/certs/subsystem.crt'
> > ipapython.admintool: ERROR: The ipa-cert-fix command failed.
> >
> > The csr for subsystem was added according
> > to https://access.redhat.com/solutions/4852721
> >
> > At the time of the above failure in /var/log/pki/pki-tomcat/ca/debug:
> >
> > [20/May/2022:07:43:59][localhost-startStop-1]:
> > Certutils.verifySystemCertValidityByNickname: failed :
> > java.lang.Exception: Certutils.verifySystemCertValidityByNickname:
> > failed: nickname: ocspSigningCert
> > cert-pki-ca
> > [20/May/2022:07:43:59][localhost-startStop-1]: CertUtils:
> > verifySystemCertsByTag() failed: java.lang.Exception:
> > Certutils.verifySystemCertValidityByNickname: faliled: nickname:
> > ocspSigningCert cert-pki-c
> > acause: java.lang.Exception:
> > Certutils.verifySystemCertValidityByNickname: failed: nickname:
> > ocspSigningCert cert-pki-ca
> > [20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: event
> > CIMC_CERT_VERIFICATION
> > [20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: event
> > CIMC_CERT_VERIFICATION
> > java.lang.Exception: Certutils.verifySystemCertValidityByNickname:
> > faliled: nickname: ocspSigningCert cert-pki-cacause:
> > java.lang.Exception: Certutils.verifySystemCertValidityByNickname:
> > failed: nicknam
> > e: ocspSigningCert cert-pki-ca
> > at
> >
> com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839)
> >
> > Nothing else suspicious
>
> Which certificate was re-issued successfully?
>
> It appears that pki-server-certfix, for which IPA is a wrapper, failed
> to connect to the server. Whether the OCSP certs errors are related or
> not I don't know. Does that cert exist in your PKI NSS database?
>
> rob
>
>
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
