This sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1779984
'pki-server cert-fix' fails when CS.cfg parameter selftests.container.order.startup not present. This also causes failures in 'ipa-cert-fix' I'd check to see if that value exists and what it's value is, if any. rob Serge Krawczenko via FreeIPA-users wrote: > The certificate renewed via ipa-cert-fix was > Server-Cert cert-pki-ca > related to my domain > Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption > Issuer: "CN=Certificate Authority,O=my domain" > Validity: > Not Before: Fri May 20 13:45:09 2022 > Not After : Sat Aug 20 13:45:09 2022 > Subject: "CN=my domain,O=my domain" > > The others which must be also renewed but fail are: > > ocspSigningCert cert-pki-ca > subsystemCert cert-pki-ca > > This is what i can see via certutil -L -d /etc/pki/pki-tomcat/alias > > Is it possible to disable ocsp temporary somehow or renew manually ? :( > > > On Mon, May 23, 2022 at 8:01 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Serge Krawczenko via FreeIPA-users wrote: > > Hello again > > I was so hoping the story to end but nope. > > > > ipa-cert-fix managed to renew one of the certs > > but failed on the following ones > > > > > > Enter "yes" to proceed: yes > > Proceeding. > > ipapython.ipautil: DEBUG: Starting external process > > ipapython.ipautil: DEBUG: args=pki-server cert-fix --ldapi-socket > > /var/run/slapd-...socket --agent-uid ipara --cert subsystem --cert > > ca_ocsp_signing --extra-cert 268304408 --extra-cert 268304410 > > ipapython.ipautil: DEBUG: Process finished, return code=1 > > ipapython.ipautil: DEBUG: stdout=ERROR: [SSL: > > SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure > (_ssl.c:618) > > > > ipapython.ipautil: DEBUG: stderr=INFO: Loading password config: > > /etc/pki/pki-tomcat/password.conf > > INFO: Fixing the following system certs: ['subsystem', > 'ca_ocsp_signing'] > > INFO: Renewing the following additional certs: ['268304408', > '268304410'] > > SASL/EXTERNAL authentication started > > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > SASL SSF: 0 > > INFO: Stopping the instance to proceed with system cert renewal > > INFO: Configuring LDAP password authentication > > INFO: Setting pkidbuser password via ldappasswd > > SASL/EXTERNAL authentication started > > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > SASL SSF: 0 > > INFO: Selftests disabled for subsystems: ca > > INFO: Resetting password for uid=ipara,ou=people,o=ipaca > > SASL/EXTERNAL authentication started > > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > > SASL SSF: 0 > > INFO: Starting the instance > > INFO: Sleeping for 10 seconds to allow server time to start... > > INFO: Requesting new cert for subsystem > > INFO: Getting subsystem cert info for ca > > INFO: Trying to setup a secure connection to CA subsystem. > > INFO: Starting new HTTPS connection (1): myhost.com > <http://myhost.com> <http://myhost.com> > > INFO: Stopping the instance > > INFO: Selftests enabled for subsystems: ca > > INFO: Restoring previous LDAP configuration > > > > ipapython.admintool: DEBUG: File > > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line > 178, in > > execute > > return_value = self.run() > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > > line 128, in run > > replicate_dogtag_certs(subject_base, ca_subject_dn, certs) > > File > > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > > line 251, in replicate_dogtag_certs > > cert = x509.load_certificate_from_file(cert_path) > > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 425, in > > load_certificate_from_file > > with open(filename, mode='rb') as f: > > > > ipapython.admintool: DEBUG: The ipa-cert-fix command failed, > exception: > > IOError: [Errno 2] No such file or directory: > > '/etc/pki/pki-tomcat/certs/subsystem.crt' > > ipapython.admintool: ERROR: [Errno 2] No such file or directory: > > '/etc/pki/pki-tomcat/certs/subsystem.crt' > > ipapython.admintool: ERROR: The ipa-cert-fix command failed. > > > > The csr for subsystem was added according > > to https://access.redhat.com/solutions/4852721 > > > > At the time of the above failure in /var/log/pki/pki-tomcat/ca/debug: > > > > [20/May/2022:07:43:59][localhost-startStop-1]: > > Certutils.verifySystemCertValidityByNickname: failed : > > java.lang.Exception: Certutils.verifySystemCertValidityByNickname: > > failed: nickname: ocspSigningCert > > cert-pki-ca > > [20/May/2022:07:43:59][localhost-startStop-1]: CertUtils: > > verifySystemCertsByTag() failed: java.lang.Exception: > > Certutils.verifySystemCertValidityByNickname: faliled: nickname: > > ocspSigningCert cert-pki-c > > acause: java.lang.Exception: > > Certutils.verifySystemCertValidityByNickname: failed: nickname: > > ocspSigningCert cert-pki-ca > > [20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: > event > > CIMC_CERT_VERIFICATION > > [20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: > event > > CIMC_CERT_VERIFICATION > > java.lang.Exception: Certutils.verifySystemCertValidityByNickname: > > faliled: nickname: ocspSigningCert cert-pki-cacause: > > java.lang.Exception: Certutils.verifySystemCertValidityByNickname: > > failed: nicknam > > e: ocspSigningCert cert-pki-ca > > at > > > > com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839) > > > > Nothing else suspicious > > Which certificate was re-issued successfully? > > It appears that pki-server-certfix, for which IPA is a wrapper, failed > to connect to the server. Whether the OCSP certs errors are related or > not I don't know. Does that cert exist in your PKI NSS database? > > rob > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
