Junhe Jian wrote:
Hello everyone,

I’m new here and have problem with IPA Server

our single IPA Server all Certificate was expired.

Autorenewal not worked, so I read the docu
http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually

my server is centos 6.4

  [root@be-ipasrv ~]# rpm -qa | grep ipa

ipa-client-3.0.0-26.el6_4.4.x86_64

ipa-server-3.0.0-26.el6_4.4.x86_64

python-iniparse-0.3.1-2.1.el6.noarch

ipa-python-3.0.0-26.el6_4.4.x86_64

libipa_hbac-1.9.2-82.7.el6_4.x86_64

libipa_hbac-python-1.9.2-82.7.el6_4.x86_64

ipa-pki-common-theme-9.0.3-7.el6.noarch

ipa-admintools-3.0.0-26.el6_4.4.x86_64

ipa-pki-ca-theme-9.0.3-7.el6.noarch

ipa-server-selinux-3.0.0-26.el6_4.4.x86_64

I change the Domain name to EXAMPLE

The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status
MONITORING.

Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE,
/etc/httpd/alias) not renew, hab Status CA_UNREACHABLE

Number of certificates and requests being tracked: 8.

Request ID '20130528090810':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='379816045864'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=CA Audit,O= EXAMPLE.DE

         expires: 2017-04-29 08:14:24 UTC

         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"auditSigningCert cert-pki-ca"

         track: yes

         auto-renew: yes

Request ID '20130528090811':

         status: MONITORING

         stuck: no

        key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='379816045864'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=OCSP Subsystem,O= EXAMPLE.DE

         expires: 2017-04-29 08:13:24 UTC

         eku: id-kp-OCSPSigning

         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"ocspSigningCert cert-pki-ca"

         track: yes

         auto-renew: yes

Request ID '20130528090812':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='379816045864'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=CA Subsystem,O= EXAMPLE.DE

         expires: 2017-04-29 08:13:24 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad

         post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
"subsystemCert cert-pki-ca"

         track: yes

         auto-renew: yes

Request ID '20130528090813':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=IPA RA,O= EXAMPLE.DE

         expires: 2017-04-29 08:13:24 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert

         track: yes

         auto-renew: yes

Request ID '20130528090814':

         status: MONITORING

         stuck: no

         key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='379816045864'

         certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'

         CA: dogtag-ipa-renew-agent

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN= EXAMPLE.de,O= EXAMPLE.DE

         expires: 2017-04-29 08:13:24 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20130528090822':

         status: CA_UNREACHABLE

         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).

         stuck: yes

         key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-
EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt'

         certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE
-DE',nickname='Server-Cert',token='NSS Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=example.de,O= EXAMPLE.DE

         expires: 2015-05-29 09:08:22 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
EXAMPLE -DE

         track: yes

         auto-renew: yes

Request ID '20130528090849':

         status: CA_UNREACHABLE

         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).

         stuck: yes

         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=example.de,O= EXAMPLE.DE

         expires: 2015-05-29 09:08:49 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA

         track: yes

         auto-renew: yes

Request ID '20130528090923':

         status: CA_UNREACHABLE

         ca-error: Server failed request, will retry: 4301 (RPC failed
at server.  Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)).

         stuck: yes

         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O= EXAMPLE.DE

         subject: CN=example.de,O= EXAMPLE.DE

         expires: 2015-05-29 09:09:23 UTC

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command: /usr/lib64/ipa/certmonger/restart_httpd

         track: yes

         auto-renew: yes

later I update the os to centos 6.6

[root@be-ipasrv]# rpm -qa | grep ipa

sssd-ipa-1.11.6-30.el6_6.4.x86_64

ipa-admintools-3.0.0-42.el6.centos.x86_64

ipa-python-3.0.0-42.el6.centos.x86_64

python-iniparse-0.3.1-2.1.el6.noarch

libipa_hbac-python-1.11.6-30.el6_6.4.x86_64

ipa-pki-common-theme-9.0.3-7.el6.noarch

ipa-server-3.0.0-42.el6.centos.x86_64

ipa-client-3.0.0-42.el6.centos.x86_64

ipa-server-selinux-3.0.0-42.el6.centos.x86_64

libipa_hbac-1.11.6-30.el6_6.4.x86_64

ipa-pki-ca-theme-9.0.3-7.el6.noarch

i get same status of the last 3.

Request ID '20130528090822':

         status: CA_UNREACHABLE

         ca-error: Server at https://example.de/ipa/xml
<https://be-ipasrv.tibet.traffics-switch.de/ipa/xml> failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Failure decoding Certificate Signing Request).

         stuck: no

         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O=EXAMPLE.DE

         subject: CN=example.de,O=EXAMPLE.DE

         expires: 2015-05-29 09:08:22 UTC

         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20130528090849':

         status: CA_UNREACHABLE

         ca-error: Server at https://example.de/ipa/xml
<https://be-ipasrv.tibet.traffics-switch.de/ipa/xml> failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Failure decoding Certificate Signing Request).

         stuck: no

         key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O=EXAMPLE.DE

         subject: CN=example.de,O=EXAMPLE.DE

         expires: 2015-05-29 09:08:49 UTC

         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

Request ID '20130528090923':

         status: CA_UNREACHABLE

         ca-error: Server at https://example.de/ipa/xml
<https://be-ipasrv.tibet.traffics-switch.de/ipa/xml> failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: Failure decoding Certificate Signing Request).

         stuck: no

         key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'

         certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'

         CA: IPA

         issuer: CN=Certificate Authority,O=EXAMPLE.DE

         subject: CN=example.de,O=EXAMPLE.DE

         expires: 2015-05-29 09:09:23 UTC

         key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment

         eku: id-kp-serverAuth,id-kp-clientAuth

         pre-save command:

         post-save command:

         track: yes

         auto-renew: yes

i read all the post on redhat archive and goolge. I cannot find a solution.

Anybody know the issue?

I'd suggest starting with the apache error log, /var/log/httpd/errors. That should tell you what the Internal Error is.

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to