Try ipa-cert-fix. https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/7/html/linux_domain_identity_authentication_and_policy_guide/cert-renewal#renewing-expired-system-certificate-when-idm-is-offline
rob Azim Siddiqui wrote: > I just checked the FreeIpa master server and the CA is managed > internally by FreeIpa. > > Validity > Not Before: Oct 30 19:52:54 2015 GMT > Not After : Oct 30 19:52:54 2035 GMT > > > Ok so you have to handle the renewals on master.ipa.free.ipa.com > <http://master.ipa.free.ipa.com> as it > is both the only CA and it is the renewal master. All work needs to > focus on that machine. > > Please advise what I can do next on this. > > > Yes, we need to see getcert list on master. > > Here's the getcert list from the master server :- > > getcert list > Number of certificates and requests being tracked: 8. > Request ID '20160825202629': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-FREE-IPA-COM/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=master.IPA-FREE-IPA-COM,O=IPA-FREE-IPA-COM > expires: 2023-12-18 15:52:08 UTC > principal name: ldap/master.IPA-FREE-IPA-COM@IPA-FREE-IPA-COM > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv > IPA-FREE-IPA-COM > track: yes > auto-renew: yes > Request ID '20160825202951': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=CA Audit,O=IPA-FREE-IPA-COM > expires: 2025-06-12 00:01:52 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202952': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=OCSP Subsystem,O=IPA-FREE-IPA-COM > expires: 2023-06-29 10:16:09 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202953': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=CA Subsystem,O=IPA-FREE-IPA-COM > expires: 2023-06-29 10:16:29 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202954': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=Certificate Authority,O=IPA-FREE-IPA-COM > expires: 2035-10-30 19:52:54 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825202955': > status: SUBMITTING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=master.IPA-FREE-IPA-COM,O=IPA-FREE-IPA-COM > expires: 2024-04-23 15:52:18 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad > post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20160825203104': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=master.IPA-FREE-IPA-COM,O=IPA-FREE-IPA-COM > expires: 2024-10-14 20:01:14 UTC > principal name: HTTP/master.IPA-FREE-IPA-COM@IPA-FREE-IPA-COM > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib64/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20160825203110': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > subject: CN=IPA RA,O=IPA-FREE-IPA-COM > expires: 2025-06-12 00:00:31 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib64/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > > On Wed, 4 Sept 2024 at 13:39, Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Azim Siddiqui wrote: > > HI Rob, > > > > We need a bit more information. > > > > What version of IPA are you running on what distribution? > > I am running FreeIPA VERSION: 4.6.8 on Centos 7 > > > > What is your topology? Is this your only server? Does this server have > > the CA service installed? Did you use an external CA to sign the > IPA CA > > on installation? > > > > I currently have one master and one replica server in the topology. It > > appears that the certificate on the master server has expired. The > > CA_UNREACHABLE error is occurring on the replica server. > > Unfortunately, I'm not sure whether an external CA was used during the > > original installation, as I inherited the server a couple of > months ago > > and don’t have details on the initial setup. > > You'll be able to tell with the getcert output by the Issuer of your IPA > CA certificate. If the subjects match then it is self-signed and is > probably good for another decade or more. > > > > > Will ipa config-show run? What does it tell you? > > Yes the ipa config-show command is ruining on the replica server and > > this is the output :- > > > > ipa config-show > > Maximum username length: 32 > > Home directory base: /home > > Default shell: /bin/bash > > Default users group: users > > Default e-mail domain: > > Search time limit: 2 > > Search size limit: 1000 > > User search fields: uid,givenname,sn,telephonenumber,ou,title > > Group search fields: cn,description > > Enable migration mode: FALSE > > Certificate Subject base: O=IPA-FREE-IPA-COM > > Password Expiration Notification (days): 4 > > Password plugin features: AllowNThash > > SELinux user map order: > > Default SELinux user: > > Default PAC types: MS-PAC, nfs:NONE > > IPA masters: xyz.ipa.free-ipa.com <http://xyz.ipa.free-ipa.com> > <http://xyz.ipa.free-ipa.com>, > > master.ipa.free.ipa.com <http://master.ipa.free.ipa.com> > <http://master.ipa.free.ipa.com> > > IPA CA servers: master.ipa.free.ipa.om > <http://master.ipa.free.ipa.om> <http://master.ipa.free.ipa.om> > > IPA NTP servers: xyz.ipa.free-ipa.com > <http://xyz.ipa.free-ipa.com> <http://xyz.ipa.free-ipa.com> > > IPA CA renewal master: master.ipa.free.ipa.com > <http://master.ipa.free.ipa.com> > > <http://master.ipa.free.ipa.com> > > IPA DNS servers: xyz.ipa.free-ipa.com > <http://xyz.ipa.free-ipa.com> <http://xyz.ipa.free-ipa.com>, > > master.ipa.free.ipa.com <http://master.ipa.free.ipa.com> > <http://master.ipa.free.ipa.com> > > Ok so you have to handle the renewals on master.ipa.free.ipa.com > <http://master.ipa.free.ipa.com> as it > is both the only CA and it is the renewal master. All work needs to > focus on that machine. > > > > > You didn't include how you got this output. You want to use > getcert list > > to see all of the tracked certificates and not ipa-getcert list. > > > > I got that output by running the ipa-getcert list command. > > Yes, we need to see getcert list on master. > > rob > > > > On Tue, 3 Sept 2024 at 17:14, Rob Crittenden <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Azim Siddiqui via FreeIPA-users wrote: > > > Hello, > > > > > > On one of the FreeIPA servers, I’m encountering an issue > with the > > > certificate: > > > > > > Number of certificates and requests being tracked: 1. > > > Request ID '20220930041156': > > > status: CA_UNREACHABLE > > > ca-error: Server > > at https://xyz.ipa.free-ipa.com/ipa/xml failed > > > request, will retry: 4001 (RPC failed at server. ipa: > Certificate > > > Authority not found). > > > stuck: no > > > key pair storage: > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > > > Certificate > > DB',pinfile='/etc/dirsrv/slapd-IPA-FREE-IPA-COM/pwdfile.txt' > > > certificate: > > > > > > > type=NSSDB,location='/etc/dirsrv/slapd-IPA-FREE-IPA-COM',nickname='Server-Cert',token='NSS > > > Certificate DB' > > > CA: IPA > > > issuer: CN=Certificate Authority,O=IPA-FREE-IPA-COM > > > subject: CN=xyz.ipa.free-ipa.com > <http://xyz.ipa.free-ipa.com> <http://xyz.ipa.free-ipa.com> > > > <http://xyz.ipa.free-ipa.com/>,O=IPA-FREE-IPA-COM > > > expires: 2024-09-30 02:22:56 UTC > > > key usage: > > > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > > > eku: id-kp-serverAuth,id-kp-clientAuth > > > pre-save command: > > > post-save command: > /usr/libexec/ipa/certmonger/restart_dirsrv > > > IPA-FREE-IPA-COM > > > track: yes > > > auto-renew: yes > > > > > > Could someone please guide me on how to troubleshoot and resolve > > this issue? > > > > > > > We need a bit more information. > > > > What version of IPA are you running on what distribution? > > > > What is your topology? Is this your only server? Does this > server have > > the CA service installed? Did you use an external CA to sign > the IPA CA > > on installation? > > > > Will ipa config-show run? What does it tell you? > > > > ipa: Certificate Authority not found. I'm not entirely sure > what is > > throwing this error. I think the systemd journal might tell us. > > > > You didn't include how you got this output. You want to use > getcert list > > to see all of the tracked certificates and not ipa-getcert list. > > > > rob > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
