Hi, Thank you for your prompt reply Rob.
On Mon, January 13, 2014 15:58, Rob Crittenden wrote: > Sigbjorn Lie wrote: > >> Hi, >> >> >> I seem to have issues with the certificate system on my IPA installation. >> Looking up hosts in >> the IPA WEBUI on any of the IPA servers says "Certificate format error: >> [Errno -8015] error >> (-8015) >> unknown". >> >> I also notice that hosts says the certificate system is unavailable. >> >> >> certmonger: Server failed request, will retry: 4301 (RPC failed at server. >> Certificate >> operation cannot be completed: Failure decoding Certificate Signing Request). >> >> >> Looking at the pki-ca logs on the ipa servers I see that some selftest >> failed: >> >> >> # tail -100 selftests.log >> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: >> Initializing self test >> plugins: >> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: loading >> all self test >> plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] >> SelfTestSubsystem: >> loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 >> CET] [20] [1] >> SelfTestSubsystem: loading all self test plugin >> instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] >> SelfTestSubsystem: loading >> self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET] >> [20] [1] >> SelfTestSubsystem: loading self test plugins in >> startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] >> SelfTestSubsystem: Self test >> plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 >> CET] [20] [1] >> SelfTestSubsystem: Running self test plugins >> specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET] >> [20] [1] CAPresence: >> CA is present >> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: >> system certs >> verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] >> SelfTestSubsystem: The >> CRITICAL self test plugin >> called selftests.container.instance.SystemCertsVerification running at >> startup FAILED! >> >> the pki-cad service is running and "pki-cad status" displays the ports >> available. >> /etc/init.d/pki-cad status >> pki-ca (pid 28697) is running... [ OK ] >> >> >> My main consern is that the certmonger requests for renew of certificates >> for LDAP on 2 out of >> 3 >> of the IPA servers has failed, and the current certificate is expiring the >> 19th of January, >> under a week from now. >> >> Do you have any suggestions to where I can start troubleshootng this issue? >> > > Check the trust on the audit certificate: > > > # certutil -L -d /var/lib/pki-ca/alias/ > ... > auditSigningCert cert-pki-ca u,u,Pu All the 3 ipa servers return u,u,Pu for auditSigningCert # certutil -L -d /var/lib/pki-ca/alias/ Certificate Nickname Trust Attributes SSL,S/MIME,JAR/XPI caSigningCert cert-pki-ca CTu,Cu,Cu Server-Cert cert-pki-ca u,u,u auditSigningCert cert-pki-ca u,u,Pu ocspSigningCert cert-pki-ca u,u,u subsystemCert cert-pki-ca u,u,u > > If the trust is not u,u,Pu then you can fix it with: > > > # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' > -t u,u,Pu > > > Then restart the CA and it should be ok. > I have restarted the dirsrv for PKI-IPA, and the pki-cad service on all 3 IPA servers. > > What is the status on the failed certmonger requests? After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the request is now: Request ID '20120119194518': status: CA_UNREACHABLE ca-error: Server failed request, will retry: 907 (RPC failed at server. cannot connect to 'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269] (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.). stuck: yes key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=DNS-DOMAIN subject: CN=ipa01.dns.domain,O=DNS-DOMAIN expires: 2014-01-19 19:45:18 UTC eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes However I cannot find the certificate that's expired? Regards, Siggi _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users