Tomasz Torcz wrote:
On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
[Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083]
CertificateOperationError: Certificate operation cannot be completed: Unable to
communicate with CMS (Internal Server Error)
[Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
[Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO:
[jsonserver_session] [email protected]: cert_find(version=u'2.164'):
CertificateOperationError
How to fix those?
You'll need to look at the dogtag debug log for the reason it threw a 500,
it's in /var/log/pki-tomcat/ca or something close to that.
I've looked into the logs but I'm not wiser. Is there a setting to get
rid of java traceback from logs and get more useful messages? There seem
to be a problem with SSL connection to port 636, maybe because it seems to use
expired certificate?
Not that I know of. The debug log is sure a firehose but you've identified
the problem.
$ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509
-noout
depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
verify return:1
depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
verify error:num=10:certificate has expired
notAfter=Nov 17 12:19:28 2015 GMT
verify return:1
depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
notAfter=Nov 17 12:19:28 2015 GMT
verify return:1
DONE
Run getcert list and look at the expiration dates. What you want to do is
kill ntpd, set the date back to say a week before the oldest date, restart
the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
This should force a renewal attempt.
Expiration date look fine:
root@okda ~$ getcert list
Number of certificates and requests being tracked: 1.
Request ID '20131116123125':
status: CA_UNREACHABLE
ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed
request, will retry: 4301 (RPC failed at server. Certificate operation cannot
be completed: Unable to communicate with CMS (503)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
expires: 2017-12-10 19:44:31 UTC
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
It's in 2017. The output seem quite short, on the other replica "getcert
list" returns 9 certificates.
The 503 suggests that the CA didn't come up (service not available).
This may be due to expired certs.
What you need to do is setup certmonger to track all the certificates
properly and get things renewed. I'm away from my desk so can't provide
any instructions on how to do this and they depend on whether or not
this machine is the renewal master.
P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already
expired CA certificate) didn't
make into FreeIPA 4.4.0 alpha. :-(
This is unrelated. I seriously doubt your CA is near expiration (my
guess is it expires in 2033).
rob
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
