Hi,

Can you provide the output of :
certutil -L -d /etc/dirsrv/slapd-<your domain>/ on replicas that can't
start the PKI?
Your CA Cert attributes should be CT,C,C

I experience the same issue as you every two replica I install. The fix is :
certutil -d /etc/dirsrv/slapd-<your domain>/ -A -t "CT,C,C" -n "<YOUR
DOMAIN> IPA CA" -i /etc/ipa/ca.crt
and restart ipa server.

https://www.redhat.com/archives/freeipa-users/2013-August/msg00088.html

Can you also provide the following line of the file generated by following
commands:

$ ipa certprofile-show --out /tmp/caIPAserviceCert.cfg caIPAserviceCert
$ grep policyset.serverCertSet.1.default.params.name
/tmp/caIPAserviceCert.cfg

Regards,

--
Youenn Piolet
piole...@gmail.com


2016-06-22 16:26 GMT+02:00 Rob Crittenden <rcrit...@redhat.com>:

> Tomasz Torcz wrote:
>
>> On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
>>
>>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083]
>>>>>> CertificateOperationError: Certificate operation cannot be completed:
>>>>>> Unable to communicate with CMS (Internal Server Error)
>>>>>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
>>>>>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa:
>>>>>> INFO: [jsonserver_session] ad...@pipebreaker.pl:
>>>>>> cert_find(version=u'2.164'): CertificateOperationError
>>>>>>
>>>>>>      How to fix those?
>>>>>>
>>>>>
>>>>> You'll need to look at the dogtag debug log for the reason it threw a
>>>>> 500,
>>>>> it's in /var/log/pki-tomcat/ca or something close to that.
>>>>>
>>>>
>>>>
>>>>     I've looked into the logs but I'm not wiser.  Is there a setting to
>>>> get
>>>> rid of java traceback from logs and get more useful messages?  There
>>>> seem
>>>> to be a problem with SSL connection to port 636, maybe because it seems
>>>> to use
>>>> expired certificate?
>>>>
>>>
>>> Not that I know of. The debug log is sure a firehose but you've
>>> identified
>>> the problem.
>>>
>>> $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl
>>>> x509 -noout
>>>> depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
>>>> verify return:1
>>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
>>>> verify error:num=10:certificate has expired
>>>> notAfter=Nov 17 12:19:28 2015 GMT
>>>> verify return:1
>>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
>>>> notAfter=Nov 17 12:19:28 2015 GMT
>>>> verify return:1
>>>> DONE
>>>>
>>>
>>> Run getcert list and look at the expiration dates. What you want to do is
>>> kill ntpd, set the date back to say a week before the oldest date,
>>> restart
>>> the dirsrv, restart the pki-tomcat/pki-cad service then restart
>>> certmonger.
>>> This should force a renewal attempt.
>>>
>>
>> Expiration date look fine:
>>
>> root@okda ~$ getcert list
>> Number of certificates and requests being tracked: 1.
>> Request ID '20131116123125':
>>          status: CA_UNREACHABLE
>>          ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed
>> request, will retry: 4301 (RPC failed at server.  Certificate operation
>> cannot be completed: Unable to communicate with CMS (503)).
>>          stuck: no
>>          key pair storage:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>>          certificate:
>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
>> Certificate DB'
>>          CA: IPA
>>          issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
>>          subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
>>          expires: 2017-12-10 19:44:31 UTC
>>          principal name: HTTP/okda.pipebreaker...@pipebreaker.pl
>>          key usage:
>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>>          eku: id-kp-serverAuth,id-kp-clientAuth
>>          pre-save command:
>>          post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>>          track: yes
>>          auto-renew: yes
>>
>>
>>    It's in 2017. The output seem quite short, on the other replica
>> "getcert list" returns 9 certificates.
>>
>
> The 503 suggests that the CA didn't come up (service not available). This
> may be due to expired certs.
>
> What you need to do is setup certmonger to track all the certificates
> properly and get things renewed. I'm away from my desk so can't provide any
> instructions on how to do this and they depend on whether or not this
> machine is the renewal master.
>
> P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing
>> already expired CA certificate) didn't
>>     make into FreeIPA 4.4.0 alpha. :-(
>>
>
> This is unrelated. I seriously doubt your CA is near expiration (my guess
> is it expires in 2033).
>
> rob
>
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
>
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to