Does the outdated certificate show in 'ipa getcert-list'? What certificate is the replica failing to replicate exactly?
Also it's possible that you will need to travel back in time (stopping chronyd service and then changing the time to when the certificate was still valid) and update it then. On Thu, Jan 26, 2023 at 11:20 AM MM MM via FreeIPA-users <[email protected]> wrote: > > Hi, > > we have two IPA-Servers (primary and replica) in the same network. Both are > running on CentOS7, on 1th January we had the problem that suddenly the > authentication didn’t work anymore. > During troubleshooting we noticed that the Subsystem CA’s were expired since > nearly two years. I don’t know why the error didn’t occurre earlier. At this > point we could fix the primary server with the command „ipa-cert-fix“, but > the replica couldn’t be included to the FreeIPA anymore. So we decided to > install a fresh system - CentOS 7, same IPA version, same IP, same hostname. > We could bind the new system without any problems to the exisiting primary > server, but when we tried to install the replica service, we got the > following error: > " > RuntimeError: CA configuration failed. > > 2023-01-26T07:48:34Z DEBUG [error] RuntimeError: CA configuration failed. > 2023-01-26T07:48:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca > " > > In the pki-tomcatd debug log it’s a bit more detailed: > " > 2023-01-26 08:48:32 [main] SEVERE: LogFile: Attempt to log message > "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file > 0.main - [26/Jan/2023:08:48:32 CET] [14] [6] > [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.150.116.54][ServerHost=10.150.116.54][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: > CLOSE_NOTIFY] access session terminated when Certificate System acts as > client > 2023-01-26 08:48:32 [main] SEVERE: Exception sending context initialized > event to listener instance of class [org.dogtagpki.server.ca.CAEngine] > java.lang.RuntimeException: Unable to start CA engine: Selftest failed: > Invalid certificate ocspSigningCert cert-pki-ca: NotAfter: Sun Mar 07 > 15:49:58 CET 2021 > > 2023-01-26 08:48:32 [main] INFO: Shutting down CA subsystem > " > > As you can see the CA-replication couldn’t be started, as there are expired > subsystem CA’s on the primary system which are expired. > > > > > > First we tried to remove the expired subsystem ca certficates from the ldap > tree with > ldapdelete -x -D "cn=directory manager" -W "cn=44,ou=ca,ou=requests,o=ipaca" > and > ldapdelete -x -D "cn=directory manager" -W > "cn=44,ou=certificateRepository,ou=ca,o=ipaca" > as there are newely generated subsystem ca certificates already, but the > „ipa-cert-fix“ still reported that these certificates still are expired. This > had the effect that the pki-tomcatd didn’t start anymore. > > As next we also remove the expired certficates from pki-tomcat with > /usr/bin/certutil -d sql:/etc/pki/pki-tomcat/alias -D -n 'ocspSigningCert > cert-pki-ca' -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt > At this point the IPA service starts without any problems and the > „ipa-cert-fix“ doesn’t show any expired certificates anymore, but when we > tried to initialize the replica it still tries to repllicate the old expired > certificates ending in an http 404 error. > > Now we’ve reached a point where we just don’t have any more ideas. > I hope somebody has an idea and can help. > If you need some more informations and/or logs, we can deliver them at any > time! > > Thanks in advance! > > Best regards > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
