> Hi,
>
> On Fri, Jul 15, 2022 at 8:28 AM roy liang via FreeIPA-users <
> freeipa-users(a)lists.fedorahosted.org> wrote:
>
> file
> /var/run/ipa/renewal.lock that is used as cross-process lock and may
> block the renewal. When the lock is not taken, its content looks like the
> following:
> # cat /var/run/ipa/renewal.lock
> [lock]
> locked = 0
>
> The lock is taken for 1hour max and its expiration date is written in the
> file, with the owner process as well. This means that even if something
> went wrong (a renewal failing), your system will resume the renewal of the
> other certs after one hour.
>
> We used to have an issue with renewals being blocked unnecessarily during
> certmonger restart (https://pagure.io/freeipa/issue/8425) and it has been
> fixed in IPA 4.8.9+. IIRC your version is older and you may be affected. In
> this case, the workaround is to delete the lock file.
>
> flo
>
> 28172 root 20 0 228032 36424 12876 S 0.0 0.0 0:00.62
Thank you very much!
rm -rf /var/run/ipa/renewal.lock After that, it did go well, but the status
changed to CA_UNREACHABLE. I repeated getCert resubmit -i all expired ID for
many times, but I still couldn't renew the certificate. Can you help analyze
the reason?What else might I need to do?
repeated getCert resubmit -i xx
root@ipa-test-65-199:/var/log/pki# getcert list |egrep 'Request|status|expires'
Request ID '20200509160847':
status: MONITORING
expires: 2022-04-29 16:08:24 UTC
Request ID '20200509160848':
status: MONITORING
expires: 2022-04-29 16:08:23 UTC
Request ID '20200509160849':
status: MONITORING
expires: 2022-04-29 16:08:24 UTC
Request ID '20200509160850':
status: MONITORING
expires: 2040-05-09 16:08:22 UTC
Request ID '20200509160851':
status: MONITORING
expires: 2022-04-29 16:08:44 UTC
Request ID '20200509160852':
status: MONITORING
expires: 2022-04-29 16:08:23 UTC
Request ID '20200509160914':
status: CA_UNREACHABLE
expires: 2022-05-10 16:09:13 UTC
Request ID '20200509160938':
status: CA_UNREACHABLE
expires: 2022-05-10 16:09:38 UTC
root@ipa-test-65-199:/var/log/pki# getcert list |egrep
'Request|status|expires|ca-error'
Request ID '20200509160847':
status: MONITORING
expires: 2022-04-29 16:08:24 UTC
Request ID '20200509160848':
status: MONITORING
expires: 2022-04-29 16:08:23 UTC
Request ID '20200509160849':
status: MONITORING
expires: 2022-04-29 16:08:24 UTC
Request ID '20200509160850':
status: MONITORING
expires: 2040-05-09 16:08:22 UTC
Request ID '20200509160851':
status: MONITORING
expires: 2022-04-29 16:08:44 UTC
Request ID '20200509160852':
status: MONITORING
expires: 2022-04-29 16:08:23 UTC
Request ID '20200509160914':
status: CA_UNREACHABLE
ca-error: Server at
https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be completed:
Unable to communicate with CMS (500)).
expires: 2022-05-10 16:09:13 UTC
Request ID '20200509160938':
status: CA_UNREACHABLE
ca-error: Server at
https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed request, will
retry: 4301 (RPC failed at server. Certificate operation cannot be completed:
Unable to communicate with CMS (500)).
expires: 2022-05-10 16:09:38 UTC
root@ipa-test-65-199:/var/log/pki# date -R
Thu, 28 Apr 2022 00:16:51 +0800
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
