Hello, we have two FreeIPA servers, one is configured as CA master. We noticed the 2-year expiration of the certificates on one of the replicas is approaching and the auto-renewal is failing with a CA_UNREACHABLE status, error code 4001.
Note that these two FreeIPA servers are replicas of a since decommissioned original that was removed from the topology a while back. Per Florence's suggestion to add debug logs to http daemon and resending a cert request (thank you), we see the following errors in /var/log/httpd/error_log: [Mon Sep 09 15:16:37.590119 2024] [:error] [pid 148275] ipa: DEBUG: WSGI wsgi_dispatch.__call__: [Mon Sep 09 15:16:37.590182 2024] [:error] [pid 148275] ipa: DEBUG: KerberosWSGIExecutioner.__call__: [Mon Sep 09 15:16:37.598332 2024] [:error] [pid 148275] ipa: DEBUG: Created connection context.ldap2_139787230862608 [Mon Sep 09 15:16:37.598389 2024] [:error] [pid 148275] ipa: DEBUG: WSGI WSGIExecutioner.__call__: [Mon Sep 09 15:16:37.603355 2024] [:error] [pid 148275] ipa: DEBUG: raw: cert_request(u'xxxxxxx', profile_id=u'caIPAserviceCert', principal=u'ldap/[email protected]', add=True, version=u'2.51') [Mon Sep 09 15:16:37.603985 2024] [:error] [pid 148275] ipa: DEBUG: cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest object at 0x7f22c5221f90>, request_type=u'pkcs10', profile_id=u'caIPAserviceCert', cacn=u'ipa', principal=ipapython.kerberos.Principal('ldap/[email protected]'), add=True, chain=False, all=False, raw=False, version=u'2.51') [Mon Sep 09 15:16:37.604207 2024] [:error] [pid 148275] ipa: DEBUG: raw: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.604264 2024] [:error] [pid 148275] ipa: DEBUG: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.605642 2024] [:error] [pid 148275] ipa: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-COMPANY-LOCAL.socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f22bfaa0a70> [Mon Sep 09 15:16:37.851204 2024] [:error] [pid 148275] ipa: DEBUG: raw: ca_show(u'ipa', chain=False, all=False, version=u'2.237') [Mon Sep 09 15:16:37.851345 2024] [:error] [pid 148275] ipa: DEBUG: ca_show(u'ipa', rights=False, chain=False, all=False, raw=False, version=u'2.237') [Mon Sep 09 15:16:37.851457 2024] [:error] [pid 148275] ipa: DEBUG: raw: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.851521 2024] [:error] [pid 148275] ipa: DEBUG: ca_is_enabled(version=u'2.237') [Mon Sep 09 15:16:37.858466 2024] [:error] [pid 148275] ipa: DEBUG: WSGI wsgi_execute PublicError: Traceback (most recent call last): [Mon Sep 09 15:16:37.858486 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in wsgi_execute [Mon Sep 09 15:16:37.858489 2024] [:error] [pid 148275] result = command(*args, **options) [Mon Sep 09 15:16:37.858506 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ [Mon Sep 09 15:16:37.858510 2024] [:error] [pid 148275] return self.__do_call(*args, **options) [Mon Sep 09 15:16:37.858512 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Mon Sep 09 15:16:37.858515 2024] [:error] [pid 148275] ret = self.run(*args, **options) [Mon Sep 09 15:16:37.858518 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run [Mon Sep 09 15:16:37.858520 2024] [:error] [pid 148275] return self.execute(*args, **options) [Mon Sep 09 15:16:37.858522 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 657, in execute [Mon Sep 09 15:16:37.858525 2024] [:error] [pid 148275] ca_obj = api.Command.ca_show(ca, all=all, chain=chain)['result'] [Mon Sep 09 15:16:37.858527 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__ [Mon Sep 09 15:16:37.858530 2024] [:error] [pid 148275] return self.__do_call(*args, **options) [Mon Sep 09 15:16:37.858532 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in __do_call [Mon Sep 09 15:16:37.858535 2024] [:error] [pid 148275] ret = self.run(*args, **options) [Mon Sep 09 15:16:37.858537 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run [Mon Sep 09 15:16:37.858539 2024] [:error] [pid 148275] return self.execute(*args, **options) [Mon Sep 09 15:16:37.858542 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/ca.py", line 249, in execute [Mon Sep 09 15:16:37.858544 2024] [:error] [pid 148275] result = super(ca_show, self).execute(*keys, **options) [Mon Sep 09 15:16:37.858555 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 1330, in execute [Mon Sep 09 15:16:37.858557 2024] [:error] [pid 148275] raise self.obj.handle_not_found(*keys) [Mon Sep 09 15:16:37.858560 2024] [:error] [pid 148275] File "/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 766, in handle_not_found [Mon Sep 09 15:16:37.858562 2024] [:error] [pid 148275] 'pkey': pkey, 'oname': self.object_name, [Mon Sep 09 15:16:37.858565 2024] [:error] [pid 148275] NotFound: ipa: Certificate Authority not found [Mon Sep 09 15:16:37.858567 2024] [:error] [pid 148275] [Mon Sep 09 15:16:37.858774 2024] [:error] [pid 148275] ipa: INFO: [xmlserver] host/[email protected]: cert_request(u'xxxxxxxxx', profile_id=u'caIPAserviceCert', principal=u'ldap/[email protected]', add=True, version=u'2.51'): NotFound [Mon Sep 09 15:16:37.858837 2024] [:error] [pid 148275] ipa: DEBUG: response: NotFound: ipa: Certificate Authority not found [Mon Sep 09 15:16:37.859575 2024] [:error] [pid 148275] ipa: DEBUG: Destroyed connection context.ldap2_139787230862608 There is a "handle_not_found" error, apparently, but not sure which handle that refers to or how to resolve. Any help would be appreciated!
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
