[Freeipa-users] Re: certification NOT Valid

[Florence Blanc-Renaud via FreeIPA-users]

Hi,

can you provide the output of "getcert list"?

flo

On Thu, Oct 10, 2024 at 2:26 PM Rowana Bejjani via FreeIPA-users <
freeipa-users@lists.fedorahosted.org> wrote:

> Hi Flo,
> Thank you for your reply,
> this is what happened
> <pre>Last login: Tue Oct  8 20:49:14 2024 from 10.10.1.5
> [root@ipa1 ~]# ipa-cert-fix
>
>                           WARNING
>
> ipa-cert-fix is intended for recovery when expired certificates
> prevent the normal operation of IPA.  It should ONLY be used
> in such scenarios, and backup of the system, especially certificates
> and keys, is STRONGLY RECOMMENDED.
>
>
> The following certificates will be renewed:
>
> Dogtag subsystem certificate:
>   Subject: CN=CA Subsystem,O=LOCAL.LESBG.COM
>   Serial:  10468392990
>   Expires: 2024-10-02 10:19:00+00:00
>
> Dogtag ca_ocsp_signing certificate:
>   Subject: CN=OCSP Subsystem,O=LOCAL.LESBG.COM
>   Serial:  10468392980
>   Expires: 2024-10-02 10:19:00+00:00
>
> Dogtag ca_audit_signing certificate:
>   Subject: CN=CA Audit,O=LOCAL.LESBG.COM
>   Serial:  10468392992
>   Expires: 2024-10-02 10:19:00+00:00
>
> IPA IPA RA certificate:
>   Subject: CN=IPA RA,O=LOCAL.LESBG.COM
>   Serial:  10468392987
>   Expires: 2024-10-02 10:19:00+00:00
>
> IPA Apache HTTPS certificate:
>   Subject: CN=ipa1.lesbg.com,O=LOCAL.LESBG.COM
>   Serial:  95866352280
>   Expires: 2024-10-02 10:19:00+00:00
>
> IPA LDAP certificate:
>   Subject: CN=ipa1.lesbg.com,O=LOCAL.LESBG.COM
>   Serial:  95866352279
>   Expires: 2024-10-02 10:19:00+00:00
>
> IPA KDC certificate:
>   Subject: CN=ipa1.lesbg.com,O=LOCAL.LESBG.COM
>   Serial:  95866352277
>   Expires: 2024-10-02 10:19:00+00:00
>
> Enter &quot;yes&quot; to proceed: yes
> Proceeding.
> CalledProcessError(Command [&apos;pki-server&apos;, &apos;cert-fix&apos;,
> &apos;--ldapi-socket&apos;, &apos;/run/slapd-LOCAL-LESBG-COM.socket&apos;,
> &apos;--agent-uid&apos;, &apos;ipara&apos;, &apos;--cert&apos;,
> &apos;subsystem&apos;, &apos;--cert&apos;, &apos;ca_ocsp_signing&apos;,
> &apos;--cert&apos;, &apos;ca_audit_signing&apos;, &apos;--extra-cert&apos;,
> &apos;10468392987&apos;, &apos;--extra-cert&apos;, &apos;95866352280&apos;,
> &apos;--extra-cert&apos;, &apos;95866352279&apos;,
> &apos;--extra-cert&apos;, &apos;95866352277&apos;] returned non-zero exit
> status 1: &apos;INFO: Loading instance type: pki-tomcatd\nINFO: Loading
> instance: pki-tomcat\nINFO: Loading global Tomcat config:
> /etc/tomcat/tomcat.conf\nINFO: Loading PKI Tomcat config:
> /usr/share/pki/etc/tomcat.conf\nINFO: Loading instance Tomcat config:
> /etc/pki/pki-tomcat/tomcat.conf\nINFO: Loading password config:
> /etc/pki/pki-tomcat/password.conf\nINFO: Loading subsystem config:
> /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Loading subsystem registry:
> /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Loading instance registry:
> /etc/sysconfig/pki/tomcat/pki-tomcat/pki-tomcat\nINFO: Fixing the following
> system certs: [\&apos;subsystem\&apos;, \&apos;ca_ocsp_signing\&apos;,
> \&apos;ca_audit_signing\&apos;]\nINFO: Renewing the following additional
> certs: [\&apos;10468392987\&apos;, \&apos;95866352280\&apos;,
> \&apos;95866352279\&apos;, \&apos;95866352277\&apos;]\nINFO: Stopping the
> instance to proceed with system cert renewal\nINFO: Configuring LDAP
> connection for CA\nINFO: Setting pkidbuser password via
> ldappasswd\nSASL/EXTERNAL authentication started\nSASL username:
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO:
> Storing subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing
> registry config: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Storing
> subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing registry
> config: /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Selftests disabled for
> subsystems: ca\nSASL/EXTERNAL authentication started\nSASL username:
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO:
> Resetting password for uid=ipara,ou=people,o=ipaca\nSASL/EXTERNAL
> authentication started\nSASL username:
> gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth\nSASL SSF: 0\nINFO:
> Starting the instance\nINFO: Sleeping for 10 seconds to allow server time
> to start...\nINFO: Requesting new cert for subsystem\nINFO: Getting
> subsystem cert info from CS.cfg\nINFO: Getting subsystem cert info from NSS
> database\nINFO: Trying to setup a secure connection to CA subsystem.\nINFO:
> Stopping the instance\nINFO: Storing subsystem config:
> /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing registry config:
> /etc/pki/pki-tomcat/ca/registry.cfg\nINFO: Selftests enabled for
> subsystems: ca\nINFO: Restoring LDAP connection for CA\nINFO: Storing
> subsystem config: /etc/pki/pki-tomcat/ca/CS.cfg\nINFO: Storing registry
> config: /etc/pki/pki-tomcat/ca/registry.cfg\nERROR:
> HTTPSConnectionPool(host=\&apos;ipa1.lesbg.com\&apos;, port=8443): Max
> retries exceeded with url: /ca/rest/account/login (Caused by
> SSLError(SSLCertVerificationError(1, \&apos;[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has
> expired (_ssl.c:1129)\&apos;)))\nTraceback (most recent call last):\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;,
> line 700, in urlopen\n    httplib_response = self._make_request(\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;,
> line 383, in _make_request\n    self._validate_conn(conn)\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;,
> line 1015, in _validate_conn\n    conn.connect()\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/connection.py&quot;, line
> 411, in connect\n    self.sock = ssl_wrap_socket(\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py&quot;, line
> 449, in ssl_wrap_socket\n    ssl_sock = _ssl_wrap_socket_impl(\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/util/ssl_.py&quot;, line
> 493, in _ssl_wrap_socket_impl\n    return ssl_context.wrap_socket(sock,
> server_hostname=server_hostname)\n  File
> &quot;/usr/lib64/python3.9/ssl.py&quot;, line 501, in wrap_socket\n
> return self.sslsocket_class._create(\n  File
> &quot;/usr/lib64/python3.9/ssl.py&quot;, line 1074, in _create\n
> self.do_handshake()\n  File &quot;/usr/lib64/python3.9/ssl.py&quot;, line
> 1343, in do_handshake\n
> self._sslobj.do_handshake()\nssl.SSLCertVerificationError: [SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has
> expired (_ssl.c:1129)\n\nDuring handling of the above exception, another
> exception occurred:\n\nTraceback (most recent call last):\n  File
> &quot;/usr/lib/python3.9/site-packages/requests/adapters.py&quot;, line
> 439, in send\n    resp = conn.urlopen(\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/connectionpool.py&quot;,
> line 756, in urlopen\n    retries = retries.increment(\n  File
> &quot;/usr/lib/python3.9/site-packages/urllib3/util/retry.py&quot;, line
> 576, in increment\n    raise MaxRetryError(_pool, url, error or
> ResponseError(cause))\nurllib3.exceptions.MaxRetryError:
> HTTPSConnectionPool(host=\&apos;ipa1.lesbg.com\&apos;, port=8443): Max
> retries exceeded with url: /ca/rest/account/login (Caused by
> SSLError(SSLCertVerificationError(1, \&apos;[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has
> expired (_ssl.c:1129)\&apos;)))\n\nDuring handling of the above exception,
> another exception occurred:\n\nTraceback (most recent call last):\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/server/pkiserver.py&quot;, line
> 41, in &lt;module&gt;\n    cli.execute(sys.argv)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py&quot;,
> line 144, in execute\n    super().execute(args)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/cli/__init__.py&quot;, line 217,
> in execute\n    module.execute(module_args)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/cli/__init__.py&quot;, line 217,
> in execute\n    module.execute(module_args)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/server/cli/cert.py&quot;, line
> 1467, in execute\n    instance.cert_create(\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/server/instance.py&quot;, line
> 980, in cert_create\n    connection =
> pki.server.PKIServer.setup_password_authentication(\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/server/__init__.py&quot;, line
> 1420, in setup_password_authentication\n    account_client.login()\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/__init__.py&quot;, line 432, in
> handler\n    return fn_call(inst, *args, **kwargs)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/account.py&quot;, line 68, in
> login\n    self.connection.get(self.login_url)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/client.py&quot;, line 56, in
> wrapper\n    return func(self, *args, **kwargs)\n  File
> &quot;/usr/lib/python3.9/site-packages/pki/client.py&quot;, line 263, in
> get\n    r = self.session.get(\n  File
> &quot;/usr/lib/python3.9/site-packages/requests/sessions.py&quot;, line
> 557, in get\n    return self.request(\&apos;GET\&apos;, url, **kwargs)\n
> File &quot;/usr/lib/python3.9/site-packages/requests/sessions.py&quot;,
> line 544, in request\n    resp = self.send(prep, **send_kwargs)\n  File
> &quot;/usr/lib/python3.9/site-packages/requests/sessions.py&quot;, line
> 657, in send\n    r = adapter.send(request, **kwargs)\n  File
> &quot;/usr/lib/python3.9/site-packages/requests/adapters.py&quot;, line
> 514, in send\n    raise SSLError(e,
> request=request)\nrequests.exceptions.SSLError:
> HTTPSConnectionPool(host=\&apos;ipa1.lesbg.com\&apos;, port=8443): Max
> retries exceeded with url: /ca/rest/account/login (Caused by
> SSLError(SSLCertVerificationError(1, \&apos;[SSL:
> CERTIFICATE_VERIFY_FAILED] certificate verify failed: certificate has
> expired (_ssl.c:1129)\&apos;)))\n&apos;)
> The ipa-cert-fix command failed.
> </pre>
>
> <pre>[root@ipa1 ~]# curl -k
> http://ipa1.lesbg.com:8080/ca/admin/ca/getStatus
> curl: (7) Failed to connect to ipa1.lesbg.com port 8080: Connection
> refused
> </pre>
> --
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam, report it:
> https://pagure.io/fedora-infrastructure/new_issue
>

-- 
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue