Yavor Marinov wrote: > Actually.. it's really strange, because I see 36 certificates tracked > from the webinterface of FreeIPA, but when i do getcert list i see only > 12 certificates tracked and most of them are with status CA_UNREACHABLE, > the most important question is... will i have problem with those > certificates when they start to expire? Is there a way to cleanup all > certificates from IPA which are not in use by the system itself as > it seems there are issues with the certificates?
certmonger uses a queueing system so it doesn't spam the CA with requests. If you want to try to force a renewal you can restart the certmonger service. Not all certificates are tracked by certmonger on a given machine. This is expected. Those other 24 certificates may belong to an IPA replica or to some other service you've issued certificates for. rob > getcert list | egrep '^Request|status:|subject:|expires:|ca-error:' > > Request ID '20230329162435': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=IPA RA,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:54:35 IST > Request ID '20230329162440': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=CA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:53:22 IST > Request ID '20230329162442': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=OCSP Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:53:03 IST > Request ID '20230329162443': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=CA Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:53:15 IST > Request ID '20230329162444': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=Certificate Authority,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2043-03-29 21:52:55 IST > Request ID '20230329162445': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net>,O=EXAMPLE.NET > <http://EXAMPLE.NET> > expires: 2025-03-18 21:53:10 IST > Request ID '20230329162450': > status: MONITORING > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net>,O=EXAMPLE.NET > <http://EXAMPLE.NET> > expires: 2025-03-29 21:54:52 IST > Request ID '20230329162523': > status: MONITORING > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > expires: 2025-03-27 12:12:44 IST > Request ID '20230329162529': > status: MONITORING > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net>,O=EXAMPLE.NET > <http://EXAMPLE.NET> > expires: 2025-03-29 21:55:30 IST > Request ID '20230329163030': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=KRA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:59:33 IST > Request ID '20230329163031': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=KRA Transport Certificate,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:59:21 IST > Request ID '20230329163033': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > subject: CN=KRA Storage Certificate,O=EXAMPLE.NET <http://EXAMPLE.NET> > expires: 2025-03-18 21:59:27 IST > > On Tue, Feb 25, 2025 at 9:48 AM Yavor Marinov <[email protected] > <mailto:[email protected]>> wrote: > > Hey Rob, > > This worked like a charm, I just had to --force the command, > the [email protected] is running properly. Although > when i check with getcert list the certificates still have problems > connecting to CA: > > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect to server. > > And this is for all certificates, can you point me how to fix this, > so those certificates can be renewed normally? > > On Mon, Feb 24, 2025 at 6:41 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > I don't know the safest way to address this. Someone tried to > deploy a > standalone OCSP server about two weeks ago based on the dates. > > I'm guessing the installation failed. I wasn't able to add one > to an IPA > server on RHEL 9.5. > > There be dragons if you attempt the following. I'd recommend a full > system backup prior to starting. > > Normally to remove a subsystem you'd run: pkidestroy -s OCSP -i > pki-tomcat > > But that failed for me because there was no registry for the OCSP > service (because installation failed). But still run it. It may > do some > things before it dies. > > Manually remove cruft left over: > > rm -rf /etc/pki/pki-tomcat/ocsp > rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp > rm -rf /var/lib/pki/pki-tomcat/ocsp > rm -rf /var/log/pki/pki-tomcat/ocsp > > Edit /etc/pki/pki-tomcat/server.xml > > Find certificateKeyAlias="sslserver" > > Replace sslserver with Server-Cert cert-pki-ca > > The CA at least starts now. I did a couple of test operations > and things > seem to be working ok but who knows for sure. > > rob > > Yavor Marinov wrote: > > Hey Rob, > > > > The directory is there but I don't remember to enable OCSP > service. Here > > is the content of the directory > > > > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp > > total 0 > > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> > > /etc/pki/pki-tomcat/ocsp > > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> > > /var/log/pki/pki-tomcat/ocsp > > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> > > /etc/sysconfig/pki/tomcat/pki-tomcat > > > > > > > > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Yavor Marinov via FreeIPA-users wrote: > > > Hello all, > > > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my > certificates will > > > expire soon on 18st of March, I had to check and renew > them. But > > > upon trying I saw that all tracked certificates are > reporting that > > they > > > couldn't connect to server. Further checking I've found that > > > [email protected] is not running and the > error which the > > > service produces looking like this: > > > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: ERROR: Error reading file > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > failed to load > > > external entity > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: Traceback (most recent call last): > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line > > 41, in > > > <module> > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: cli.execute(sys.argv) > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", > > line 144, > > > in execute > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: super().execute(args) > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", > line 217, > > in execute > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: module.execute(module_args) > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", > line 98, > > > in execute > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: instance.init() > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", line > > 1124, in > > > init > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: super().init() > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > 380, in init > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: self.enable_subsystems() > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > 1256, in > > > enable_subsystems > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: subsystem.enable() > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line > > 685, in > > > enable > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: self.instance.deploy_webapp( > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > 1011, in > > > deploy_webapp > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: document = > etree.parse(descriptor, parser) > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/etree.pyx", line > 3521, in > > > lxml.etree.parse > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 1862, in > > > lxml.etree._parseDocument > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 1888, in > > > lxml.etree._parseDocumentFromURL > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 1792, in > > > lxml.etree._parseDocFromFile > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 1180, in > > > lxml.etree._BaseParser._parseDocFromFile > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 618, in > > > lxml.etree._ParserContext._handleParseResultDoc > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 728, in > > > lxml.etree._handleParseResult > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > 655, in > > > lxml.etree._raiseParseError > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: OSError: Error reading file > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > failed to load > > > external entity > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > > > Any help will be much appreciated as I have to upgrade the > > certificates > > > within a month. > > > > Did someone try to enable a standalone OCSP service? > > > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? > > > > rob > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
