rui liang via FreeIPA-users wrote: > I did it, > Date - the 2021-08-28 s > for line in `getcert list | grep Request | cut -d "'" -f2`; do getcert > resubmit -i $line; done > Now the CA status is all CA_UNREACHABLE > How do I deal with this? It's getting worse. Can you help me? Thank you very > much
Are the services up? Does IPA otherwise operate ok? ipa user-show admin, ipa cert-show 1 are good tests. > I see no response, and it's being executed > ipa-cacert-manage renew > ipa-certupdate ipa-cacert-manage renew should not have been run in this case. It renews only the CA cert which you don't need and only complicates matters. You need to determine why the CA is unreachable. Did it start up at all, along with the other relevant IPA services? Is time still in the past (e.g. you stopped NTP)? Can IPA talk to the CA? certmonger logs to syslog (journal) so you can look there for additional output. rob > root@fs-hiido-kerberos-21-117-149:/var/lib/certmonger/requests# getcert list > Number of certificates and requests being tracked: 8. > Request ID '20190910112327': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: CN=CA Audit,O=YYDEVOPS.COM > expires: 2021-08-30 11:23:07 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190910112328': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: CN=OCSP Subsystem,O=YYDEVOPS.COM > expires: 2021-08-30 11:23:06 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190910112329': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: CN=CA Subsystem,O=YYDEVOPS.COM > expires: 2021-08-30 11:23:07 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190910112330': > status: CA_UNREACHABLE > ca-error: Internal error > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: CN=Certificate Authority,O=YYDEVOPS.COM > expires: 2039-09-10 11:23:06 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190910112331': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:8080/ca/ee/ca/profileSubmit: > Couldn't connect to server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: CN=IPA RA,O=YYDEVOPS.COM > expires: 2021-08-30 11:23:25 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20190910112332': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com:8443/ca/agent/ca/profileReview: > Couldn't connect to server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: > CN=fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com,O=YYDEVOPS.COM > expires: 2021-08-30 11:23:06 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20190910112351': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for requested realm. > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-YYDEVOPS-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: > CN=fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com,O=YYDEVOPS.COM > expires: 2023-08-14 11:24:24 UTC > principal name: > ldap/fs-hiido-kerberos-21-117-149.hiido.host.yydevops....@yydevops.com > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_dirsrv YYDEVOPS-COM > track: yes > auto-renew: yes > Request ID '20190910112410': > status: CA_UNREACHABLE > ca-error: Error setting up ccache for "host" service on client using > default keytab: Cannot contact any KDC for requested realm. > stuck: no > key pair storage: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=YYDEVOPS.COM > subject: > CN=fs-hiido-kerberos-21-117-149.hiido.host.yydevops.com,O=YYDEVOPS.COM > expires: 2023-08-14 11:26:13 UTC > principal name: > HTTP/fs-hiido-kerberos-21-117-149.hiido.host.yydevops....@yydevops.com > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
