Tomasz Torcz wrote:
On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
[Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] 
CertificateOperationError: Certificate operation cannot be completed: Unable to 
communicate with CMS (Internal Server Error)
[Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
[Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: 
[jsonserver_session] ad...@pipebreaker.pl: cert_find(version=u'2.164'): 
CertificateOperationError

     How to fix those?

You'll need to look at the dogtag debug log for the reason it threw a 500,
it's in /var/log/pki-tomcat/ca or something close to that.


    I've looked into the logs but I'm not wiser.  Is there a setting to get
rid of java traceback from logs and get more useful messages?  There seem
to be a problem with SSL connection to port 636, maybe because it seems to use
expired certificate?

Not that I know of. The debug log is sure a firehose but you've identified
the problem.

$ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl x509 
-noout
depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
verify return:1
depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
verify error:num=10:certificate has expired
notAfter=Nov 17 12:19:28 2015 GMT
verify return:1
depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
notAfter=Nov 17 12:19:28 2015 GMT
verify return:1
DONE

Run getcert list and look at the expiration dates. What you want to do is
kill ntpd, set the date back to say a week before the oldest date, restart
the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
This should force a renewal attempt.

Expiration date look fine:

root@okda ~$ getcert list
Number of certificates and requests being tracked: 1.
Request ID '20131116123125':
         status: CA_UNREACHABLE
         ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed 
request, will retry: 4301 (RPC failed at server.  Certificate operation cannot 
be completed: Unable to communicate with CMS (503)).
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
         subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
         expires: 2017-12-10 19:44:31 UTC
         principal name: HTTP/okda.pipebreaker...@pipebreaker.pl
         key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/lib64/ipa/certmonger/restart_httpd
         track: yes
         auto-renew: yes


   It's in 2017. The output seem quite short, on the other replica "getcert 
list" returns 9 certificates.

The 503 suggests that the CA didn't come up (service not available). This may be due to expired certs.

What you need to do is setup certmonger to track all the certificates properly and get things renewed. I'm away from my desk so can't provide any instructions on how to do this and they depend on whether or not this machine is the renewal master.

P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already 
expired CA certificate) didn't
    make into FreeIPA 4.4.0 alpha. :-(

This is unrelated. I seriously doubt your CA is near expiration (my guess is it expires in 2033).

rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to