On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] 
> > > > CertificateOperationError: Certificate operation cannot be completed: 
> > > > Unable to communicate with CMS (Internal Server Error)
> > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: 
> > > > [jsonserver_session] ad...@pipebreaker.pl: cert_find(version=u'2.164'): 
> > > > CertificateOperationError
> > > > 
> > > >     How to fix those?
> > > 
> > > You'll need to look at the dogtag debug log for the reason it threw a 500,
> > > it's in /var/log/pki-tomcat/ca or something close to that.
> > 
> > 
> >    I've looked into the logs but I'm not wiser.  Is there a setting to get
> > rid of java traceback from logs and get more useful messages?  There seem
> > to be a problem with SSL connection to port 636, maybe because it seems to 
> > use
> > expired certificate?
> 
> Not that I know of. The debug log is sure a firehose but you've identified
> the problem.
> 
> > $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl x509 
> > -noout
> > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > verify return:1
> > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > verify error:num=10:certificate has expired
> > notAfter=Nov 17 12:19:28 2015 GMT
> > verify return:1
> > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > notAfter=Nov 17 12:19:28 2015 GMT
> > verify return:1
> > DONE
> 
> Run getcert list and look at the expiration dates. What you want to do is
> kill ntpd, set the date back to say a week before the oldest date, restart
> the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
> This should force a renewal attempt.

Expiration date look fine:

root@okda ~$ getcert list
Number of certificates and requests being tracked: 1.
Request ID '20131116123125':
        status: CA_UNREACHABLE
        ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed request, 
will retry: 4301 (RPC failed at server.  Certificate operation cannot be 
completed: Unable to communicate with CMS (503)).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
        subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
        expires: 2017-12-10 19:44:31 UTC
        principal name: HTTP/okda.pipebreaker...@pipebreaker.pl
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command: 
        post-save command: /usr/lib64/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes


  It's in 2017. The output seem quite short, on the other replica "getcert 
list" returns 9 certificates.


P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already 
expired CA certificate) didn't
   make into FreeIPA 4.4.0 alpha. :-(

-- 
Tomasz Torcz                        Once you've read the dictionary,
xmpp: zdzich...@chrome.pl           every other book is just a remix.

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to