> What directions did you follow from Flo's blog? It looks like on the CA > signing cert was updated. Is that all you did?
Yes - at this stage only the CA signing cert was expired and updated. I also had to update the CA cert chain because the certs for the sub-CA changed (even though the old one was still before expiration, I think the AD admins redid it at some point). I used a combination of this post: https://floblanc.wordpress.com/2017/09/11/troubleshooting-freeipa-pki-tomcatd-fails-to-start/ and this post and some comments back and forth with Florence on the post until we moved the discussion here: https://floblanc.wordpress.com/2017/12/05/demystifying-the-certificate-authority-component-in-freeipa/ > > I think at this point you should try running ipa-cert-fix. Unfortunately that fails: # ipa-cert-fix Failed to get Server-Cert The ipa-cert-fix command failed. # ipa-cert-fix --verbose ipapython.admintool: DEBUG: Not logging to a file ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.installutils: DEBUG: httpd is configured ipaserver.install.installutils: DEBUG: kadmin is configured ipaserver.install.installutils: DEBUG: dirsrv is configured ipaserver.install.installutils: DEBUG: pki-tomcatd is configured ipaserver.install.installutils: DEBUG: install is not configured ipaserver.install.installutils: DEBUG: krb5kdc is configured ipaserver.install.installutils: DEBUG: ntpd is configured ipaserver.install.installutils: DEBUG: named is not configured ipaserver.install.installutils: DEBUG: filestore has files ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=pki-server cert-fix --help ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=Usage: pki-server cert-fix [OPTIONS] --cert <Cert ID> Fix specified system cert (default: all certs). --extra-cert <Serial> Also renew cert with given serial number. --agent-uid <String> UID of Dogtag agent user --ldapi-socket <Path> Path to DS LDAPI socket -i, --instance <instance ID> Instance ID (default: pki-tomcat). -v, --verbose Run in verbose mode. --debug Run in debug mode. --help Show help message. ipapython.ipautil: DEBUG: stderr= ipalib.plugable: DEBUG: importing all plugin modules in ipaserver.plugins... ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.aci ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automember ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.automount ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseldap ipalib.plugable: DEBUG: ipaserver.plugins.baseldap is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.baseuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.batch ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ca ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.caacl ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.cert ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certmap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.certprofile ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.config ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.delegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dns ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dnsserver ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.dogtag ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.domainlevel ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.group ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbac ipalib.plugable: DEBUG: ipaserver.plugins.hbac is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacrule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbacsvcgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hbactest ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.host ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.hostgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idrange ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.idviews ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.internal ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.join ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.krbtpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ldap2 ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.location ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.migration ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.misc ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.netgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otp ipalib.plugable: DEBUG: ipaserver.plugins.otp is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otpconfig ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.otptoken ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.passwd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.permission ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.ping ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pkinit ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.privilege ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.pwpolicy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.rabase ipalib.plugable: DEBUG: ipaserver.plugins.rabase is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.radiusproxy ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.realmdomains ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.role ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.schema ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selfservice ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.selinuxusermap ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.server ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverrole ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.serverroles ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.service ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.servicedelegation ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.session ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.stageuser ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudo ipalib.plugable: DEBUG: ipaserver.plugins.sudo is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmd ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudocmdgroup ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.sudorule ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.topology ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.trust ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.user ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.vault ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.virtual ipalib.plugable: DEBUG: ipaserver.plugins.virtual is not a valid plugin module ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.whoami ipalib.plugable: DEBUG: importing plugin module ipaserver.plugins.xmlserver ipalib.backend: DEBUG: Created connection context.ldap2_139844927169552 ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state' ipalib.install.sysrestore: DEBUG: Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index' ipaserver.install.dsinstance: DEBUG: Trying to find certificate subject base in sysupgrade ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipalib.install.sysrestore: DEBUG: Loading StateFile from '/var/lib/ipa/sysupgrade/sysupgrade.state' ipaserver.install.dsinstance: DEBUG: Found certificate subject base in sysupgrade: O=[DOMAIN] ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-[DOMAIN].socket conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f302ea1ca70> ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n Server-Cert cert-pki-ca -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- [CENSORED] -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n subsystemCert cert-pki-ca -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- [CENSORED] -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n ocspSigningCert cert-pki-ca -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- [CENSORED] -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-ca -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=0 ipapython.ipautil: DEBUG: stdout=-----BEGIN CERTIFICATE----- [cENSORED] -----END CERTIFICATE----- ipapython.ipautil: DEBUG: stderr= ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n transportCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: transportCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n storageCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: storageCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/pki/pki-tomcat/alias -L -n auditSigningCert cert-pki-kra -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: auditSigningCert cert-pki-kra : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.ipautil: DEBUG: Starting external process ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt ipapython.ipautil: DEBUG: Process finished, return code=255 ipapython.ipautil: DEBUG: stdout= ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert : PR_FILE_NOT_FOUND_ERROR: File not found ipapython.admintool: DEBUG: File "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in execute return_value = self.run() File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 100, in run certs, extra_certs = expired_certs(now) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 142, in expired_certs return expired_dogtag_certs(now), expired_ipa_certs(now) File "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line 191, in expired_ipa_certs cert = db.get_cert('Server-Cert') File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in get_cert raise RuntimeError("Failed to get %s" % nickname) ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert ipapython.admintool: ERROR: Failed to get Server-Cert ipapython.admintool: ERROR: The ipa-cert-fix command failed. # I assume this is failing because pki-tomcat is not running, but I'm not 100% sure on that... but if it is, it is a chicken-and-egg problem because pki-tomcat won't start because it doesn't like the certs... Alternatively it is failing because the certs are not actually named "Server-Cert" -- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
