On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote: > Tomasz Torcz wrote: > > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote: > > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] > > > > > > CertificateOperationError: Certificate operation cannot be > > > > > > completed: Unable to communicate with CMS (Internal Server Error) > > > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083] > > > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: > > > > > > INFO: [jsonserver_session] [email protected]: > > > > > > cert_find(version=u'2.164'): CertificateOperationError > > > > > > > > > > > > How to fix those? > > > > > > > > > > You'll need to look at the dogtag debug log for the reason it threw a > > > > > 500, > > > > > it's in /var/log/pki-tomcat/ca or something close to that. > > > > > > > > > > > > I've looked into the logs but I'm not wiser. Is there a setting to > > > > get > > > > rid of java traceback from logs and get more useful messages? There > > > > seem > > > > to be a problem with SSL connection to port 636, maybe because it seems > > > > to use > > > > expired certificate? > > > > > > Not that I know of. The debug log is sure a firehose but you've identified > > > the problem. > > > > > > > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl > > > > x509 -noout > > > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority > > > > verify return:1 > > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > > > > verify error:num=10:certificate has expired > > > > notAfter=Nov 17 12:19:28 2015 GMT > > > > verify return:1 > > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl > > > > notAfter=Nov 17 12:19:28 2015 GMT > > > > verify return:1 > > > > DONE > > > > > > Run getcert list and look at the expiration dates. What you want to do is > > > kill ntpd, set the date back to say a week before the oldest date, restart > > > the dirsrv, restart the pki-tomcat/pki-cad service then restart > > > certmonger. > > > This should force a renewal attempt. > > What you need to do is setup certmonger to track all the certificates > properly and get things renewed. I'm away from my desk so can't provide any > instructions on how to do this and they depend on whether or not this > machine is the renewal master.
I've used instructions from https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html to remind certmonger about other certificates. I had to adjust paths: -d /var/lib/pki/pki-tomcat/alias/ -B /usr/libexec/ipa/certmonger/stop_pkicad and -C '/usr/libexec/ipa/certmonger/renew_ca_cert "${nickname}"' I've rolled back time and I'm waiting for certmonger to refresh those certs: Request ID '20160630083224': status: MONITORING subject: CN=CA Audit,O=PIPEBREAKER.PL expires: 2015-11-06 09:42:50 UTC Request ID '20160630083226': status: MONITORING subject: CN=CA Subsystem,O=PIPEBREAKER.PL expires: 2015-11-06 09:42:49 UTC Request ID '20160630083227': status: MONITORING subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL expires: 2017-10-25 15:20:52 UTC root@okda ca$ date Thu Nov 5 11:39:41 CET 2015 It's been 2 hours and certificates are still not refreshed. > > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing > > already expired CA certificate) didn't > > make into FreeIPA 4.4.0 alpha. :-( > > This is unrelated. I seriously doubt your CA is near expiration (my guess is > it expires in 2033). I'm not sure about CA certificate itself, but "CA Subsystem" certificate is expired. As far as I understand, 1752 is about refreshing certs by going directly through socket, mitigating expired certificates. -- Tomasz Torcz "Funeral in the morning, IDE hacking xmpp: [email protected] in the afternoon and evening." - Alan Cox -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
