On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083]
> > > > CertificateOperationError: Certificate operation cannot be completed:
> > > > Unable to communicate with CMS (Internal Server Error)
> > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO:
> > > > [jsonserver_session] [email protected]: cert_find(version=u'2.164'):
> > > > CertificateOperationError
> > > >
> > > > How to fix those?
> > >
> > > You'll need to look at the dogtag debug log for the reason it threw a 500,
> > > it's in /var/log/pki-tomcat/ca or something close to that.
> >
> >
> > I've looked into the logs but I'm not wiser. Is there a setting to get
> > rid of java traceback from logs and get more useful messages? There seem
> > to be a problem with SSL connection to port 636, maybe because it seems to
> > use
> > expired certificate?
>
> Not that I know of. The debug log is sure a firehose but you've identified
> the problem.
>
> > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509
> > -noout
> > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > verify return:1
> > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > verify error:num=10:certificate has expired
> > notAfter=Nov 17 12:19:28 2015 GMT
> > verify return:1
> > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > notAfter=Nov 17 12:19:28 2015 GMT
> > verify return:1
> > DONE
>
> Run getcert list and look at the expiration dates. What you want to do is
> kill ntpd, set the date back to say a week before the oldest date, restart
> the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
> This should force a renewal attempt.
Expiration date look fine:
root@okda ~$ getcert list
Number of certificates and requests being tracked: 1.
Request ID '20131116123125':
status: CA_UNREACHABLE
ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed request,
will retry: 4301 (RPC failed at server. Certificate operation cannot be
completed: Unable to communicate with CMS (503)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
expires: 2017-12-10 19:44:31 UTC
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
It's in 2017. The output seem quite short, on the other replica "getcert
list" returns 9 certificates.
P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already
expired CA certificate) didn't
make into FreeIPA 4.4.0 alpha. :-(
--
Tomasz Torcz Once you've read the dictionary,
xmpp: [email protected] every other book is just a remix.
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
