Hi, Can you provide the output of : certutil -L -d /etc/dirsrv/slapd-<your domain>/ on replicas that can't start the PKI? Your CA Cert attributes should be CT,C,C
I experience the same issue as you every two replica I install. The fix is : certutil -d /etc/dirsrv/slapd-<your domain>/ -A -t "CT,C,C" -n "<YOUR DOMAIN> IPA CA" -i /etc/ipa/ca.crt and restart ipa server. https://www.redhat.com/archives/freeipa-users/2013-August/msg00088.html Can you also provide the following line of the file generated by following commands: $ ipa certprofile-show --out /tmp/caIPAserviceCert.cfg caIPAserviceCert $ grep policyset.serverCertSet.1.default.params.name /tmp/caIPAserviceCert.cfg Regards, -- Youenn Piolet [email protected] 2016-06-22 16:26 GMT+02:00 Rob Crittenden <[email protected]>: > Tomasz Torcz wrote: > >> On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: >> >>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] >>>>>> CertificateOperationError: Certificate operation cannot be completed: >>>>>> Unable to communicate with CMS (Internal Server Error) >>>>>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] >>>>>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: >>>>>> INFO: [jsonserver_session] [email protected]: >>>>>> cert_find(version=u'2.164'): CertificateOperationError >>>>>> >>>>>> How to fix those? >>>>>> >>>>> >>>>> You'll need to look at the dogtag debug log for the reason it threw a >>>>> 500, >>>>> it's in /var/log/pki-tomcat/ca or something close to that. >>>>> >>>> >>>> >>>> I've looked into the logs but I'm not wiser. Is there a setting to >>>> get >>>> rid of java traceback from logs and get more useful messages? There >>>> seem >>>> to be a problem with SSL connection to port 636, maybe because it seems >>>> to use >>>> expired certificate? >>>> >>> >>> Not that I know of. The debug log is sure a firehose but you've >>> identified >>> the problem. >>> >>> $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl >>>> x509 -noout >>>> depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority >>>> verify return:1 >>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl >>>> verify error:num=10:certificate has expired >>>> notAfter=Nov 17 12:19:28 2015 GMT >>>> verify return:1 >>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl >>>> notAfter=Nov 17 12:19:28 2015 GMT >>>> verify return:1 >>>> DONE >>>> >>> >>> Run getcert list and look at the expiration dates. What you want to do is >>> kill ntpd, set the date back to say a week before the oldest date, >>> restart >>> the dirsrv, restart the pki-tomcat/pki-cad service then restart >>> certmonger. >>> This should force a renewal attempt. >>> >> >> Expiration date look fine: >> >> root@okda ~$ getcert list >> Number of certificates and requests being tracked: 1. >> Request ID '20131116123125': >> status: CA_UNREACHABLE >> ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed >> request, will retry: 4301 (RPC failed at server. Certificate operation >> cannot be completed: Unable to communicate with CMS (503)). >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >> certificate: >> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >> Certificate DB' >> CA: IPA >> issuer: CN=Certificate Authority,O=PIPEBREAKER.PL >> subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL >> expires: 2017-12-10 19:44:31 UTC >> principal name: HTTP/[email protected] >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth >> pre-save command: >> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >> track: yes >> auto-renew: yes >> >> >> It's in 2017. The output seem quite short, on the other replica >> "getcert list" returns 9 certificates. >> > > The 503 suggests that the CA didn't come up (service not available). This > may be due to expired certs. > > What you need to do is setup certmonger to track all the certificates > properly and get things renewed. I'm away from my desk so can't provide any > instructions on how to do this and they depend on whether or not this > machine is the renewal master. > > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing >> already expired CA certificate) didn't >> make into FreeIPA 4.4.0 alpha. :-( >> > > This is unrelated. I seriously doubt your CA is near expiration (my guess > is it expires in 2033). > > rob > > > -- > Manage your subscription for the Freeipa-users mailing list: > https://www.redhat.com/mailman/listinfo/freeipa-users > Go to http://freeipa.org for more info on the project >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
