Flo - That worked!
I noticed in the output of each "resubmit" that it said it was
contacting the DogTag so it all kinda makes sense now as to why they
couldn't renew.
I can see that the certs actually renewed when i run "getcert list" but
when I'm in the web interface and goto "Authentication" -->
"Certificates" and Select Cert #93 (for example).
It still shows an expiry date of 05/04/2023 and the "Subject" for the
cert is "CN=CA Audit,O=[sanitized domain name]". The issuing CA is "ipa".
Are these the same certs that I'm seeing in "getcert list" output ?? Do
I need to bounce a service to re-read or for the gui to see the changes?
Btw - I'm running ipa-server-4.6.8-5.el7 (On a cent 7.9 box)
v/r,
justin
On 4/17/2023 10:46 AM, Florence Blanc-Renaud wrote:
Hi,
On Mon, Apr 17, 2023 at 3:32 PM Justin Sanderson
<[email protected]> wrote:
Hey Flo - thanks for the quick response and input.
I stumbled across the link you referenced this past weekend. For
now, I'm ok with using BasicAuth to keep the system running.
However, that is indicative of an underlying cert issue and may be
related to the other issues mentioned in the post.
My biggest/most-pressing issue is that I have an UNREACHABLE CA
... Is this problem due to the tomcat-pki not being able to
login?? I would think that after switching over to binddn/password
that the UNREACHABLE would resolve itself if that were the case.
Basically, I think I'm having 2 issues.
1) the dogtag pki --> ldap auth which i think i have fixed for now.
2) I don't know how to fix the UNREACHABLE for the certs on the
NSSDB (see below)
Can you check if the PKI server is responsive using the following
commands?
# kinit admin
# ipa cert-show 1
* If the command properly returns something then it means PKI is
reachable and you can retry the renewal with
# getcert resubmit -i <request id>
with <request id> corresponding to the ID for auditSigningCert
cert-pki-ca / ocspSigningCert cert-pki-ca. Wait for one renewal to
complete successfully (getcert list -i <request id> displays
MONITORING when the renewal is done) before launching the next one.
You can observe the journal for additional logs.
* If the command fails additional debugging will be needed, the
first step would be to create /etc/ipa/server.conf with the
following content:
[global]
debug=True
and restart the stack with "ipactl restart". Then check the content of
/var/log/httpd/error_log when you run "ipa cert-show 1", it will
contain additional messages.
By the way, which IPA version is installed? rpm -qa | grep ipa-server
flo
I know I'm missing something but I'm so new to this platform that
I literally don't know where/how to fix.
Thanks again.
On 4/17/2023 4:03 AM, Florence Blanc-Renaud wrote:
Hi,
On Mon, Apr 17, 2023 at 5:42 AM Justin Sanderson via
FreeIPA-users <[email protected]> wrote:
THANKS IN ADVANCE FOR ANY HELP INFO YOU CAN PROVIDE!!
Greatly Appreciate!!
Ok. So after doing a LOT of reading and learning about
FreeIPA the past 2 days (yep, I inherited), I was able to fix
my problem of pki-tomcatd (DogTAG i think its called) so that
it would start.
The pki-tomcatd service wouldn't start due to some cert
issues. I was fortunate enough to figure out how to enable
BasicAuth for now to get the service to start.. so thats a win.
So it means that PKI was not able to authenticate to the LDAP
server using the certificate subsystemCert cert-pki-ca and you
switched from certificate-based authentication to simple bind
using DN/password.
There are some troubleshooting hints here for this specific
issue:
https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/
HTH,
flo
My SETUP:
I have a single server instance as a VM. There are no replicas.
The FreeIPA configuration is:
1) No DNS BIND server - using external DNS via AD in
/etc/resolv.conf
2) We ARE running all other services
3) Self-Signed CA configuration using DogTag i think its
called. there are not external certs being used.
ipactl start has no issues now after I fixed the pki-tomcatd
start problem using BasicAuth (workaround)
PROBLEM :
When i run "getcert list" I have 3 that have status
CA_UNREACHABLE and ALL of them are related to
/etc/pki/pki-tomcat/alias NSSDB.
They are set to expire in a few weeks so I need to figure
this out.. needing some help.
The getcert list outputs a total of 9 or 10 certs so I don't
think I'm missing anything.. Based off what I was able to
find, it's common to have 8-10 certs in the output...?
Below are 2 of 3 certs that are going to expire soon and
their CA is in an UNREACHABLE state. They all use the same NSSDB
**I have no idea where to start looking to fix this
problem... which log file... how is it supposed to talk to
the NSSDB. it's not a socket...? **
I'm worried that the certs will expire and I won't know how
to fix it. or where to even look. HELP*!*!
I've seen several people posting already about certmonger not
succesfully tracking/renewing some certs so Im a bit
concerned espicially since the CA_UNREAHABLE error.
How do I fix this:
1) manually generate new certs and wth do I put them?
2) why is the CA_UNREACHABLE on a NSSDB ..? The files are
there and intact. I can view the contents no prob.
============ getcert list output ============================
Request ID '20190621200128':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]
subject: CN=CA Audit,O=[SANITIZED DNS NAME]
expires: 2023-05-04 12:52:47 UTC
key usage: digitalSignature,nonRepudiation
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20190621200129':
status: CA_UNREACHABLE
ca-error: Internal error
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS FIPS 140-2 Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=[SANITIZED DNS NAME]
subject: CN=OCSP Subsystem,O=[SANITIZED DNS NAME]
expires: 2023-05-04 12:53:17 UTC
eku: id-kp-OCSPSigning
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
===================================================================================================================================
_______________________________________________
FreeIPA-users mailing list --
[email protected]
To unsubscribe send an email to
[email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines:
https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
