Sigbjorn Lie wrote:

Thank you for your prompt reply Rob.

On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
Sigbjorn Lie wrote:


I seem to have issues with the certificate system on my IPA installation. 
Looking up hosts in
the IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno 
-8015] error

I also notice that hosts says the certificate system is unavailable.

certmonger: Server failed request, will retry: 4301 (RPC failed at server.  
operation cannot be completed: Failure decoding Certificate Signing Request).

Looking at the pki-ca logs on the ipa servers I see that some selftest failed:

# tail -100 selftests.log
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: 
Initializing self test
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading 
all self test
plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] 
loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 CET] 
[20] [1]
SelfTestSubsystem:  loading all self test plugin
instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] 
SelfTestSubsystem:  loading
self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET] 
[20] [1]
SelfTestSubsystem:  loading self test plugins in
startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] 
SelfTestSubsystem: Self test
plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET] 
[20] [1]
SelfTestSubsystem: Running self test plugins
specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET] 
[20] [1] CAPresence:
CA is present
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: 
system certs
verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] 
SelfTestSubsystem: The
CRITICAL self test plugin
called selftests.container.instance.SystemCertsVerification running at startup 

the pki-cad service is running and "pki-cad status" displays the ports 
/etc/init.d/pki-cad status
pki-ca (pid 28697) is running...                           [  OK  ]

My main consern is that the certmonger requests for renew of certificates for 
LDAP on 2 out of
of the IPA servers has failed, and the current certificate is expiring the 19th 
of January,
under a week from now.

Do you have any suggestions to where I can start troubleshootng this issue?

Check the trust on the audit certificate:

# certutil -L -d /var/lib/pki-ca/alias/
auditSigningCert cert-pki-ca                                 u,u,Pu

All the 3 ipa servers return u,u,Pu for auditSigningCert

# certutil -L -d /var/lib/pki-ca/alias/

Certificate Nickname                                         Trust Attributes

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

If the trust is not u,u,Pu then you can fix it with:

# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
-t u,u,Pu

Then restart the CA and it should be ok.

I have restarted the dirsrv for PKI-IPA, and the pki-cad service on all 3 IPA 

What is the status on the failed certmonger requests?

After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the 
request is now:

Request ID '20120119194518':
        status: CA_UNREACHABLE
        ca-error: Server failed request, will retry: 907 (RPC failed at server. 
 cannot connect to
'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
        stuck: yes
        key pair storage:
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=DNS-DOMAIN
        subject: CN=ipa01.dns.domain,O=DNS-DOMAIN
        expires: 2014-01-19 19:45:18 UTC
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command:
        track: yes
        auto-renew: yes

However I cannot find the certificate that's expired?

Can provide the output of getcert rather than ipa-getcert? It will show additional certificates that are issued/renewed outside of the IPA API.


Freeipa-users mailing list

Reply via email to