Juan Pablo Lorier wrote: > Hi Rob, > > I do manually add the pin and they get in MONITORING state, but the IPA > server is not consistent because the upgrade never completes. > If I try to run the upgrade, the process renews the certs and they go > back to stuck state. Look at the upgrade output I sent and then you can > see that those certs get into stuck because of the missing pin:
This doesn't renew the certs, it is attempting to fix the broken tracking, and failing I assume. MONITORING doesn't mean the certificates are still valid. You need to look at the expires date to determine that. rob > >>> [Update certmonger certificate renewal configuration] >>> Missing or incorrect tracking request for certificates: >>> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >>> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >>> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >>> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >>> Certmonger certificate renewal configuration updated > > > >> El 1 dic. 2022, a las 13:52, Rob Crittenden <[email protected] >> <mailto:[email protected]>> escribió: >> >> Juan Pablo Lorier wrote: >>> Ok, I fixed the certs following other ticket but using the pin file >>> pointed in the link you sent me. >>> Result: >>> >>> ipa-getcert start-tracking -i 20221201163932 -p >>> /etc/pki/pki-tomcat/alias/pwdfile.txt >> >> I don't know what request 20221201163932 is but you need to add the pin >> file to all of the CA-related trackers. >> >> rob >> >>> >>> But it seems that the spa-server-upgrade brakes them again: >>> >>> named user config '/etc/named/ipa-ext.conf' already exists >>> named user config '/etc/named/ipa-options-ext.conf' already exists >>> named user config '/etc/named/ipa-logging-ext.conf' already exists >>> [Upgrading CA schema] >>> CA schema update complete >>> [Update certmonger certificate renewal configuration] >>> Missing or incorrect tracking request for certificates: >>> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >>> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >>> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >>> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >>> Certmonger certificate renewal configuration updated >>> [Enable PKIX certificate path discovery and validation] >>> PKIX already enabled >>> [Authorizing RA Agent to modify profiles] >>> [Authorizing RA Agent to manage lightweight CAs] >>> [Ensuring Lightweight CAs container exists in Dogtag database] >>> [Adding default OCSP URI configuration] >>> [Disabling cert publishing] >>> pki-tomcat configuration changed, restart pki-tomcat >>> [Ensuring CA is using LDAPProfileSubsystem] >>> [Migrating certificate profiles to LDAP] >>> Migrating profile 'acmeServerCert' >>> IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run >>> command ipa-server-upgrade manually. >>> Unexpected error - see /var/log/ipaupgrade.log for details: >>> NetworkError: cannot connect to >>> 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error >>> The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for >>> more information >>> >>> >>> >>> >>> >>> Request ID '20221201164512': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >>> cert-pki-ca' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: >>> subject: >>> issued: unknown >>> expires: unknown >>> profile: caSignedLogCert >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "auditSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20221201164513': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert >>> cert-pki-ca' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: >>> subject: >>> issued: unknown >>> expires: unknown >>> profile: caOCSPCert >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "ocspSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20221201164514': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert >>> cert-pki-ca' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: >>> subject: >>> issued: unknown >>> expires: unknown >>> profile: caSubsystemCert >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "subsystemCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> Request ID '20221201164515': >>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>> stuck: yes >>> key pair storage: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca' >>> certificate: >>> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert >>> cert-pki-ca' >>> CA: dogtag-ipa-ca-renew-agent >>> issuer: >>> subject: >>> issued: unknown >>> expires: unknown >>> profile: caCACert >>> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >>> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert >>> "caSigningCert cert-pki-ca" >>> track: yes >>> auto-renew: yes >>> >>>> El 1 dic. 2022, a las 12:47, Juan Pablo Lorier <[email protected] >>>> <mailto:[email protected]> >>>> <mailto:[email protected]>> escribió: >>>> >>>> Thanks Jochen, >>>> >>>> I tried following the post but the getcert command is complaining >>>> about the syntax and I can’t find why. According to man page, the >>>> parameters are right. >>>> >>>> I also tried to remove the certs and run spa-server-upgrade but it >>>> generates new certs and fails at the same point (new certs are also >>>> pending pin information) >>>> It looks like I will need a way to unstuck those certs for the upgrade >>>> to continue. >>>> All suggestions are Wellcome :-) >>>> Regards >>>> >>>>> El 1 dic. 2022, a las 01:30, Jochen Kellner <[email protected] >>>>> <mailto:[email protected]> >>>>> <mailto:[email protected]>> escribió: >>>>> >>>>> >>>>> Hello Juan, >>>>> >>>>> Juan Pablo Lorier via FreeIPA-users >>>>> <[email protected] >>>>> <mailto:[email protected]> >>>>> <mailto:[email protected]>> writes: >>>>> >>>>>> You are right, there are several certificates stuck in dc2: >>>>>> >>>>>> getcert list >>>>> ... >>>>>> Request ID '20221130160320': >>>>>> status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN >>>>> >>>>> My google-fu point to that comment in an issue: >>>>> https://github.com/freeipa/freeipa-healthcheck/issues/123#issuecomment-659962943 >>>>> That has the commands to fix the issue. >>>>> >>>>> Another possibility should be to stop-tracking the certificates and run >>>>> ipa-server-upgrade which should restore the trackings. Right? >>>>> >>>>> Jochen >>>>> >>>>> -- >>>>> This space is intentionally left blank. > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
