Hi, On Fri, Jul 15, 2022 at 11:22 AM roy liang via FreeIPA-users < [email protected]> wrote:
> > Thank you very much! > > rm -rf /var/run/ipa/renewal.lock After that, it did go well, but the > status changed to > > CA_UNREACHABLE. I repeated getCert resubmit -i all expired ID for many > times, but I still > > couldn't renew the certificate. Can you help analyze the reason?What > else might I need > > to do? > > > CA_UNREACHABLE means that there is an error contacting the Certificate Server. You can find more information and troubleshooting tips in these blog posts: https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certificates/ https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/ flo > > repeated getCert resubmit -i xx > > > > root@ipa-test-65-199:/var/log/pki# getcert list |egrep > 'Request|status|expires' > > Request ID '20200509160847': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160848': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160849': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160850': > > status: MONITORING > > expires: 2040-05-09 16:08:22 UTC > > Request ID '20200509160851': > > status: MONITORING > > expires: 2022-04-29 16:08:44 UTC > > Request ID '20200509160852': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160914': > > status: CA_UNREACHABLE > > expires: 2022-05-10 16:09:13 UTC > > Request ID '20200509160938': > > status: CA_UNREACHABLE > > expires: 2022-05-10 16:09:38 UTC > > root@ipa-test-65-199:/var/log/pki# getcert list |egrep > > 'Request|status|expires|ca-error' > > Request ID '20200509160847': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160848': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160849': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160850': > > status: MONITORING > > expires: 2040-05-09 16:08:22 UTC > > Request ID '20200509160851': > > status: MONITORING > > expires: 2022-04-29 16:08:44 UTC > > Request ID '20200509160852': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160914': > > status: CA_UNREACHABLE > > ca-error: Server at > https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed > > request, will retry: 4301 (RPC failed at server. Certificate operation > cannot be > > completed: Unable to communicate with CMS (500)). > > expires: 2022-05-10 16:09:13 UTC > > Request ID '20200509160938': > > status: CA_UNREACHABLE > > ca-error: Server at > https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed > > request, will retry: 4301 (RPC failed at server. Certificate operation > cannot be > > completed: Unable to communicate with CMS (500)). > > expires: 2022-05-10 16:09:38 UTC > > root@ipa-test-65-199:/var/log/pki# date -R > > Thu, 28 Apr 2022 00:16:51 +0800 > > I tried these commands and restarted Certmonger. Strangely enough, the > HTTP LDAP certificate was renewed successfully, but the PKI-Tomcat > certificate was not renewed. I executed getCert Request -i ID several > times, but the date of the certificate is still not renewed > > > https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ > > certutil -M -d /etc/apache2/nssdb -n 'YYDEVOPS.COM IPA CA' -t ,, > certutil -M -d /etc/apache2/nssdb -n 'YYDEVOPS.COM IPA CA' -t CT,C,C > curl -v -o /dev/null --cacert /etc/ipa/ca.crt https:// > `hostname`:8443/ca/agent/ca/profileReview > % Total % Received % Xferd Average Speed Time Time Time > Current > Dload Upload Total Spent Left > Speed > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- > 0* Trying 10.12.65.199... > * Connected to ipa-test-65-199.hiido.host.yydevops.com (10.12.65.199) > port 8443 (#0) > * found 1 certificates in /etc/ipa/ca.crt > * found 700 certificates in /etc/ssl/certs > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 > * server certificate verification OK > * server certificate status verification SKIPPED > * common name: ipa-test-65-199.hiido.host.yydevops.com (matched) > * server certificate expiration date OK > * server certificate activation date OK > * certificate public key: RSA > * certificate version: #3 > * subject: O=YYDEVOPS.COM,CN= > ipa-test-65-199.hiido.host.yydevops.com > * start date: Sat, 09 May 2020 16:08:23 GMT > * expire date: Fri, 29 Apr 2022 16:08:23 GMT > * issuer: O=YYDEVOPS.COM,CN=Certificate Authority > * compression: NULL > * ALPN, server did not agree to a protocol > > GET /ca/agent/ca/profileReview HTTP/1.1 > > Host: ipa-test-65-199.hiido.host.yydevops.com:8443 > > User-Agent: curl/7.47.0 > > Accept: */* > > > * gnutls_handshake() failed: Illegal parameter > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- > 0 > * Closing connection 0 > curl: (35) gnutls_handshake() failed: Illegal parameter > > root@ipa-test-65-199:/home/liangrui# getcert list |egrep > 'Request|status|expires|ca-error|certificate' > Number of certificates and requests being tracked: 8. > Request ID '20200509160847': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:24 UTC > Request ID '20200509160848': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:23 UTC > Request ID '20200509160849': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:24 UTC > Request ID '20200509160850': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2040-05-09 16:08:22 UTC > Request ID '20200509160851': > status: MONITORING > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB' > expires: 2022-04-29 16:08:44 UTC > Request ID '20200509160852': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:23 UTC > Request ID '20200509160914': > status: MONITORING > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS > Certificate DB' > expires: 2024-04-27 17:12:04 UTC > Request ID '20200509160938': > status: MONITORING > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > expires: 2024-04-27 17:12:12 UTC > Let a person do not know how to start, how to deal with? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
