Thanks Rob,

Any suggestions on how make the CA aware of the current serial number?

Also started seeing the following error from two of the servers, spider01b
and spider01o, but not spider01a when to navigate in the web gui.  Though
it doesn't appear to stop me from doing anything.

IPA Error 4301
Certificate operation cannot be completed: EXCEPTION (Invalid Crential.)

Marc

On Tue, Jun 14, 2016 at 2:07 PM, Marc Wiatrowski <w...@iglass.net> wrote:

>
>
> On Tue, Jun 14, 2016 at 11:22 AM, Rob Crittenden <rcrit...@redhat.com>
> wrote:
>
>> Marc Wiatrowski wrote:
>>
>>> Hello, I'm having issues with the 3 ipa certificates of type CA: IPA
>>> renewing on 2 of 3 replicas.  Particularly on the 2 that are not the CA
>>> master.  The other 5 certificates from getcert list do renew and all
>>> certificates on the CA master do look to renew.
>>>
>>> Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64  I've done
>>> full updates and rebooted.
>>>
>>
>> Can you check on the replication status for each CA?
>>
>> $ ipa-csreplica-manage list -v ipa.example.com
>>
>> The hostname is important because including that will show the agreements
>> that host has. Do this for each master with a CA.
>>
>> The CA being asked to do the renewal is unaware of the current serial
>> number so it is refusing to proceed.
>>
>> rob
>>
>>
>
> [root@spider01o]$ ipa-csreplica-manage list -v spider01a.iglass.net
> Directory Manager password:
>
> spider01b.iglass.net
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> succeeded
>   last update ended: 2016-06-14 17:49:16+00:00
> spider01o.iglass.net
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> started
>   last update ended: 2016-06-14 17:55:20+00:00
>
> [root@spider01o]$ ipa-csreplica-manage list -v spider01o.iglass.net
> Directory Manager password:
>
> spider01a.iglass.net
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> started
>   last update ended: 2016-06-14 17:57:44+00:00
> spider01b.iglass.net
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> started
>   last update ended: 2016-06-14 17:57:41+00:00
>
> [root@spider01o]$ ipa-csreplica-manage list -v spider01b.iglass.net
> Directory Manager password:
>
> spider01a.iglass.net
>   last init status: 0 Total update succeeded
>   last init ended: 2016-06-03 19:43:12+00:00
>   last update status: 0 Replica acquired successfully: Incremental update
> succeeded
>   last update ended: 2016-06-14 17:44:17+00:00
> spider01o.iglass.net
>   last init status: 0 Total update succeeded
>   last init ended: 2016-06-03 19:44:38+00:00
>   last update status: 0 Replica acquired successfully: Incremental update
> started
>   last update ended: 2016-06-14 17:57:53+00:00
> spider01a.iglass.net
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> succeeded
>   last update ended: 2016-06-14 17:44:13+00:00
> spider01o.iglass.net
>   last init status: None
>   last init ended: None
>   last update status: 0 Replica acquired successfully: Incremental update
> started
>   last update ended: 2016-06-14 17:57:54+00:00
>
>
> Not sure what this is telling... This an issue with the last being
> doubled?  Thanks
>
>
>
> The failed renews look like:
>
> [root@spider01a]$ getcert list -i 20141202144354
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144354':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)).
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
>
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://iglass.net/> <
> http://IGLASS.NET <http://iglass.net/>>
> subject: CN=spider01a.iglass.net
> <http://spider01a.iglass.net>,O=IGLASS.NET <http://iglass.net/> <
> http://IGLASS.NET <http://iglass.net/>>
> expires: 2016-12-02 14:38:45 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
>
> [root@spider01a]$ getcert list -i 20141202144616
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144616':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)).
> stuck: no
> key pair storage:
>
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
> certificate:
>
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://iglass.net/> <
> http://IGLASS.NET <http://iglass.net/>>
> subject: CN=spider01a.iglass.net
> <http://spider01a.iglass.net>,O=IGLASS.NET <http://iglass.net/> <
> http://IGLASS.NET <http://iglass.net/>>
> expires: 2016-12-02 14:38:43 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET
> track: yes
> auto-renew: yes
>
> [root@spider01a]$ getcert list -i 20141202144733
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144733':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server.  Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://iglass.net/> <
> http://IGLASS.NET <http://iglass.net/>>
> subject: CN=spider01a.iglass.net
> <http://spider01a.iglass.net>,O=IGLASS.NET <http://iglass.net/> <
> http://IGLASS.NET <http://iglass.net/>>
> expires: 2016-12-02 14:38:46 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
> From
> [root@spider01a]$ getcert resubmit -i 20141202144354
>
> On the replica issuing the resubmit
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1"
> 401 1370
>
> ==> /var/log/httpd/error_log <==
> [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate
> serial number 0x3ffe0010 not found)
> [Mon Jun 13 15:49:33 2016] [error] ipa: INFO:
> host/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net>:
>
> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
> principal=u'dogtagldap/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net>', add=True):
> CertificateOperationError
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 262
> 192.168.176.2 - host/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net> [13/Jun/2016:15:49:32 -0400]
> "POST /ipa/xml HTTP/1.1" 200 376
>
> ==> /var/log/pki-ca/system <==
> 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet
> caDisplayBySerial: Error encountered in DisplayBySerial. Error Record
> not found.
>
>
> On the CA master spider01o:
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1"
> 401 1370
>
> ==> krb5kdc.log <==
> Jun 13 15:49:34 spider01o.iglass.net <http://spider01o.iglass.net>
> krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2
> <http://192.168.177.2>: ISSUE: authtime 1465847372, etypes {rep=18
> tkt=18 ses=18}, host/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net> for
> ldap/spider01o.iglass....@iglass.net
> <mailto:spider01o.iglass....@iglass.net>
>
> ==> /var/log/httpd/error_log <==
> [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid
> Credential.)
> [Mon Jun 13 15:49:34 2016] [error] ipa: INFO:
> host/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net>:
>
> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
> principal=u'dogtagldap/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net>', add=True):
> CertificateOperationError
>
> ==> /var/log/httpd/access_log <==
> 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 235
> 192.168.176.2 - host/spider01a.iglass....@iglass.net
> <mailto:spider01a.iglass....@iglass.net> [13/Jun/2016:15:49:33 -0400]
> "POST /ipa/xml HTTP/1.1" 200 349
>
> ==> /var/log/pki-ca/system <==
> 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot
> authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA
> RA,O=IGLASS.NET <http://iglass.net/> <http://IGLASS.NET
> <http://iglass.net/>>. Error: User not found
>
>
> I realize they expire at the end of the year, but I've had my
> certificates expire before and would rather not go through that again.
> Any idea on what's wrong or suggestions on where to look would be
> appreciated.
>
> Thanks,
> Marc
>
>
>
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to