Hey Rob, your input confirms my understanding, again, thank you very much for your guidance ;)
On Tue, Feb 25, 2025 at 4:30 PM Rob Crittenden <[email protected]> wrote: > Yavor Marinov wrote: > > Hey Rob, > > > > After restarting certmonger all certificates are monitored, thanks a lot > > for your guidance. > > One more question - do I need to renew those certificates, or will they > > be renewed automatically? > > It depends on how the certificates were issued. Certificates issued and > tracked by certmonger should now be renewed. It normally uses a back-off > algo to try renewals: 28 days, 14 days, ... With the CA being > unreachable some may be in the queue to try again sooner. > > If the certificates were issued manually, like using request certificate > in the web UI or ipa cert-request on the cli then it's up to the > requestor to handle renewal. > > rob > > > > > On Tue, Feb 25, 2025 at 4:03 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Yavor Marinov wrote: > > > Actually.. it's really strange, because I see 36 certificates > tracked > > > from the webinterface of FreeIPA, but when i do getcert list i see > > only > > > 12 certificates tracked and most of them are with status > > CA_UNREACHABLE, > > > the most important question is... will i have problem with those > > > certificates when they start to expire? Is there a way to cleanup > all > > > certificates from IPA which are not in use by the system itself as > > > it seems there are issues with the certificates? > > > > certmonger uses a queueing system so it doesn't spam the CA with > > requests. If you want to try to force a renewal you can restart the > > certmonger service. > > > > Not all certificates are tracked by certmonger on a given machine. > This > > is expected. Those other 24 certificates may belong to an IPA > replica or > > to some other service you've issued certificates for. > > > > rob > > > > > getcert list | egrep '^Request|status:|subject:|expires:|ca-error:' > > > > > > Request ID '20230329162435': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=IPA RA,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:54:35 IST > > > Request ID '20230329162440': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=CA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:53:22 IST > > > Request ID '20230329162442': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=OCSP Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:53:03 IST > > > Request ID '20230329162443': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=CA Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:53:15 IST > > > Request ID '20230329162444': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=Certificate Authority,O=EXAMPLE.NET > > <http://EXAMPLE.NET> <http://EXAMPLE.NET> > > > expires: 2043-03-29 21:52:55 IST > > > Request ID '20230329162445': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > > <http://login.EXAMPLE.net>,O=EXAMPLE.NET <http://EXAMPLE.NET> > > > <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:53:10 IST > > > Request ID '20230329162450': > > > status: MONITORING > > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > > <http://login.EXAMPLE.net>,O=EXAMPLE.NET <http://EXAMPLE.NET> > > > <http://EXAMPLE.NET> > > > expires: 2025-03-29 21:54:52 IST > > > Request ID '20230329162523': > > > status: MONITORING > > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > > <http://login.EXAMPLE.net> > > > expires: 2025-03-27 12:12:44 IST > > > Request ID '20230329162529': > > > status: MONITORING > > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > > <http://login.EXAMPLE.net>,O=EXAMPLE.NET <http://EXAMPLE.NET> > > > <http://EXAMPLE.NET> > > > expires: 2025-03-29 21:55:30 IST > > > Request ID '20230329163030': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=KRA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:59:33 IST > > > Request ID '20230329163031': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=KRA Transport Certificate,O=EXAMPLE.NET > > <http://EXAMPLE.NET> <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:59:21 IST > > > Request ID '20230329163033': > > > status: CA_UNREACHABLE > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > connect > > > to server. > > > subject: CN=KRA Storage Certificate,O=EXAMPLE.NET > > <http://EXAMPLE.NET> <http://EXAMPLE.NET> > > > expires: 2025-03-18 21:59:27 IST > > > > > > On Tue, Feb 25, 2025 at 9:48 AM Yavor Marinov <[email protected] > > <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > > > Hey Rob, > > > > > > This worked like a charm, I just had to --force the command, > > > the [email protected] is running properly. > Although > > > when i check with getcert list the certificates still have > > problems > > > connecting to CA: > > > > > > ca-error: Error 7 connecting to > > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > > > connect to server. > > > > > > And this is for all certificates, can you point me how to fix > > this, > > > so those certificates can be renewed normally? > > > > > > On Mon, Feb 24, 2025 at 6:41 PM Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> > wrote: > > > > > > I don't know the safest way to address this. Someone tried > to > > > deploy a > > > standalone OCSP server about two weeks ago based on the > dates. > > > > > > I'm guessing the installation failed. I wasn't able to add > one > > > to an IPA > > > server on RHEL 9.5. > > > > > > There be dragons if you attempt the following. I'd > > recommend a full > > > system backup prior to starting. > > > > > > Normally to remove a subsystem you'd run: pkidestroy -s > > OCSP -i > > > pki-tomcat > > > > > > But that failed for me because there was no registry for > > the OCSP > > > service (because installation failed). But still run it. > > It may > > > do some > > > things before it dies. > > > > > > Manually remove cruft left over: > > > > > > rm -rf /etc/pki/pki-tomcat/ocsp > > > rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp > > > rm -rf /var/lib/pki/pki-tomcat/ocsp > > > rm -rf /var/log/pki/pki-tomcat/ocsp > > > > > > Edit /etc/pki/pki-tomcat/server.xml > > > > > > Find certificateKeyAlias="sslserver" > > > > > > Replace sslserver with Server-Cert cert-pki-ca > > > > > > The CA at least starts now. I did a couple of test > operations > > > and things > > > seem to be working ok but who knows for sure. > > > > > > rob > > > > > > Yavor Marinov wrote: > > > > Hey Rob, > > > > > > > > The directory is there but I don't remember to enable > OCSP > > > service. Here > > > > is the content of the directory > > > > > > > > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp > > > > total 0 > > > > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> > > > > /etc/pki/pki-tomcat/ocsp > > > > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> > > > > /var/log/pki/pki-tomcat/ocsp > > > > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> > > > > /etc/sysconfig/pki/tomcat/pki-tomcat > > > > > > > > > > > > > > > > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden > > > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>> > > > > <mailto:[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > > > Yavor Marinov via FreeIPA-users wrote: > > > > > Hello all, > > > > > > > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my > > > certificates will > > > > > expire soon on 18st of March, I had to check and > renew > > > them. But > > > > > upon trying I saw that all tracked certificates are > > > reporting that > > > > they > > > > > couldn't connect to server. Further checking I've > > found that > > > > > [email protected] is not running and > the > > > error which the > > > > > service produces looking like this: > > > > > > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: ERROR: Error reading file > > > > > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > > > failed to load > > > > > external entity > > > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: Traceback (most recent call > > last): > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line > > > > 41, in > > > > > <module> > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: cli.execute(sys.argv) > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", > > > > line 144, > > > > > in execute > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: super().execute(args) > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", > > > line 217, > > > > in execute > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: > module.execute(module_args) > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", > > > line 98, > > > > > in execute > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: instance.init() > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", > > line > > > > 1124, in > > > > > init > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: super().init() > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", > > line > > > > 380, in init > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: self.enable_subsystems() > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", > > line > > > > 1256, in > > > > > enable_subsystems > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: subsystem.enable() > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line > > > > 685, in > > > > > enable > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: > self.instance.deploy_webapp( > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File > > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", > > line > > > > 1011, in > > > > > deploy_webapp > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: document = > > > etree.parse(descriptor, parser) > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/etree.pyx", > line > > > 3521, in > > > > > lxml.etree.parse > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 1862, in > > > > > lxml.etree._parseDocument > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 1888, in > > > > > lxml.etree._parseDocumentFromURL > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 1792, in > > > > > lxml.etree._parseDocFromFile > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 1180, in > > > > > lxml.etree._BaseParser._parseDocFromFile > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 618, in > > > > > lxml.etree._ParserContext._handleParseResultDoc > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 728, in > > > > > lxml.etree._handleParseResult > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > > line > > > 655, in > > > > > lxml.etree._raiseParseError > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> > > > <http://login.example.net> <http://login.example.net> > > > > <http://login.example.net> > > > > > pki-server[1243031]: OSError: Error reading file > > > > > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > > > failed to load > > > > > external entity > > > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > > > > > > > Any help will be much appreciated as I have to > > upgrade the > > > > certificates > > > > > within a month. > > > > > > > > Did someone try to enable a standalone OCSP service? > > > > > > > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in > it? > > > > > > > > rob > > > > > > > > > > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
