Florence Blanc-Renaud via FreeIPA-users wrote: > Hi, > > On Fri, Jul 15, 2022 at 11:22 AM roy liang via FreeIPA-users > <[email protected] > <mailto:[email protected]>> wrote: > > > Thank you very much! > > rm -rf /var/run/ipa/renewal.lock After that, it did go well, but > the status changed to > > CA_UNREACHABLE. I repeated getCert resubmit -i all expired ID for > many times, but I still > > couldn't renew the certificate. Can you help analyze the > reason?What else might I need > > to do? > > > > CA_UNREACHABLE means that there is an error contacting the Certificate > Server. > > You can find more information and troubleshooting tips in these blog posts: > https://floblanc.wordpress.com/2016/12/06/using-certmonger-to-track-certificates/ > https://floblanc.wordpress.com/2016/12/19/troubleshooting-certmonger-issues-with-freeipa/
Agreed. In this case certmonger is the client. If the server isn't working (HTTP code 500) then the client can never work. Look at the CA logs. Restarting certmonger is *one* way to renew the certs but I'd encourage running them one at a time after the CA is running to avoid the contention that Flo mentioned. If you add -v -w to the resubmit request you'll be able to see the state that the request is in and it will loop until the certificate is in MONITORING. A better test to see if the CA is working that doesn't involve certmonger is: ipa cert-show 1. This exercises the RA certificate and ensures that the CA can handle basic requests. The data returned, as long as it isn't an error, is not particularly interesting. The point is that it runs without error. rob > > > repeated getCert resubmit -i xx > > > > root@ipa-test-65-199:/var/log/pki# getcert list |egrep > 'Request|status|expires' > > Request ID '20200509160847': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160848': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160849': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160850': > > status: MONITORING > > expires: 2040-05-09 16:08:22 UTC > > Request ID '20200509160851': > > status: MONITORING > > expires: 2022-04-29 16:08:44 UTC > > Request ID '20200509160852': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160914': > > status: CA_UNREACHABLE > > expires: 2022-05-10 16:09:13 UTC > > Request ID '20200509160938': > > status: CA_UNREACHABLE > > expires: 2022-05-10 16:09:38 UTC > > root@ipa-test-65-199:/var/log/pki# getcert list |egrep > > 'Request|status|expires|ca-error' > > Request ID '20200509160847': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160848': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160849': > > status: MONITORING > > expires: 2022-04-29 16:08:24 UTC > > Request ID '20200509160850': > > status: MONITORING > > expires: 2040-05-09 16:08:22 UTC > > Request ID '20200509160851': > > status: MONITORING > > expires: 2022-04-29 16:08:44 UTC > > Request ID '20200509160852': > > status: MONITORING > > expires: 2022-04-29 16:08:23 UTC > > Request ID '20200509160914': > > status: CA_UNREACHABLE > > ca-error: Server at > https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed > > request, will retry: 4301 (RPC failed at server. Certificate > operation cannot be > > completed: Unable to communicate with CMS (500)). > > expires: 2022-05-10 16:09:13 UTC > > Request ID '20200509160938': > > status: CA_UNREACHABLE > > ca-error: Server at > https://ipa-test-65-199.hiido.host.yydevops.com/ipa/xml failed > > request, will retry: 4301 (RPC failed at server. Certificate > operation cannot be > > completed: Unable to communicate with CMS (500)). > > expires: 2022-05-10 16:09:38 UTC > > root@ipa-test-65-199:/var/log/pki# date -R > > Thu, 28 Apr 2022 00:16:51 +0800 > > I tried these commands and restarted Certmonger. Strangely enough, > the HTTP LDAP certificate was renewed successfully, but the > PKI-Tomcat certificate was not renewed. I executed getCert Request > -i ID several times, but the date of the certificate is still not > renewed > > > https://rcritten.wordpress.com/2017/09/20/peer-certificate-cannot-be-authenticated-with-given-ca-certificates/ > > certutil -M -d /etc/apache2/nssdb -n 'YYDEVOPS.COM > <http://YYDEVOPS.COM> IPA CA' -t ,, > certutil -M -d /etc/apache2/nssdb -n 'YYDEVOPS.COM > <http://YYDEVOPS.COM> IPA CA' -t CT,C,C > curl -v -o /dev/null --cacert /etc/ipa/ca.crt > https://`hostname`:8443/ca/agent/ca/profileReview > % Total % Received % Xferd Average Speed Time Time > Time Current > Dload Upload Total Spent > Left Speed > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- > --:--:-- 0* Trying 10.12.65.199... > * Connected to ipa-test-65-199.hiido.host.yydevops.com > <http://ipa-test-65-199.hiido.host.yydevops.com> (10.12.65.199) port > 8443 (#0) > * found 1 certificates in /etc/ipa/ca.crt > * found 700 certificates in /etc/ssl/certs > * ALPN, offering http/1.1 > * SSL connection using TLS1.2 / RSA_AES_128_CBC_SHA1 > * server certificate verification OK > * server certificate status verification SKIPPED > * common name: ipa-test-65-199.hiido.host.yydevops.com > <http://ipa-test-65-199.hiido.host.yydevops.com> (matched) > * server certificate expiration date OK > * server certificate activation date OK > * certificate public key: RSA > * certificate version: #3 > * subject: O=YYDEVOPS.COM > <http://YYDEVOPS.COM>,CN=ipa-test-65-199.hiido.host.yydevops.com > <http://ipa-test-65-199.hiido.host.yydevops.com> > * start date: Sat, 09 May 2020 16:08:23 GMT > * expire date: Fri, 29 Apr 2022 16:08:23 GMT > * issuer: O=YYDEVOPS.COM <http://YYDEVOPS.COM>,CN=Certificate > Authority > * compression: NULL > * ALPN, server did not agree to a protocol > > GET /ca/agent/ca/profileReview HTTP/1.1 > > Host: ipa-test-65-199.hiido.host.yydevops.com:8443 > <http://ipa-test-65-199.hiido.host.yydevops.com:8443> > > User-Agent: curl/7.47.0 > > Accept: */* > > > * gnutls_handshake() failed: Illegal parameter > 0 0 0 0 0 0 0 0 --:--:-- --:--:-- > --:--:-- 0 > * Closing connection 0 > curl: (35) gnutls_handshake() failed: Illegal parameter > > root@ipa-test-65-199:/home/liangrui# getcert list |egrep > 'Request|status|expires|ca-error|certificate' > > Number of certificates and requests being tracked: 8. > Request ID '20200509160847': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:24 UTC > Request ID '20200509160848': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:23 UTC > Request ID '20200509160849': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2022-04-29 16:08:24 UTC > Request ID '20200509160850': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > expires: 2040-05-09 16:08:22 UTC > Request ID '20200509160851': > status: MONITORING > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB' > expires: 2022-04-29 16:08:44 UTC > Request ID '20200509160852': > status: MONITORING > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS > Certificate DB' > expires: 2022-04-29 16:08:23 UTC > Request ID '20200509160914': > status: MONITORING > certificate: > > type=NSSDB,location='/etc/dirsrv/slapd-YYDEVOPS-COM',nickname='Server-Cert',token='NSS > Certificate DB' > expires: 2024-04-27 17:12:04 UTC > Request ID '20200509160938': > status: MONITORING > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > expires: 2024-04-27 17:12:12 UTC > Let a person do not know how to start, how to deal with? > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > <mailto:[email protected]> > To unsubscribe send an email to > [email protected] > <mailto:[email protected]> > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
