On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote:
> Tomasz Torcz wrote:
> > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] 
> > > > > > CertificateOperationError: Certificate operation cannot be 
> > > > > > completed: Unable to communicate with CMS (Internal Server Error)
> > > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: 
> > > > > > INFO: [jsonserver_session] ad...@pipebreaker.pl: 
> > > > > > cert_find(version=u'2.164'): CertificateOperationError
> > > > > > 
> > > > > >      How to fix those?
> > > > > 
> > > > > You'll need to look at the dogtag debug log for the reason it threw a 
> > > > > 500,
> > > > > it's in /var/log/pki-tomcat/ca or something close to that.
> > > > 
> > > > 
> > > >     I've looked into the logs but I'm not wiser.  Is there a setting to 
> > > > get
> > > > rid of java traceback from logs and get more useful messages?  There 
> > > > seem
> > > > to be a problem with SSL connection to port 636, maybe because it seems 
> > > > to use
> > > > expired certificate?
> > > 
> > > Not that I know of. The debug log is sure a firehose but you've identified
> > > the problem.
> > > 
> > > > $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl 
> > > > x509 -noout
> > > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > verify error:num=10:certificate has expired
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > DONE
> > > 
> > > Run getcert list and look at the expiration dates. What you want to do is
> > > kill ntpd, set the date back to say a week before the oldest date, restart
> > > the dirsrv, restart the pki-tomcat/pki-cad service then restart 
> > > certmonger.
> > > This should force a renewal attempt.
> 
> What you need to do is setup certmonger to track all the certificates
> properly and get things renewed. I'm away from my desk so can't provide any
> instructions on how to do this and they depend on whether or not this
> machine is the renewal master.


   I've used instructions from 
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html
to remind certmonger about other certificates. I had to adjust paths:
-d /var/lib/pki/pki-tomcat/alias/
-B /usr/libexec/ipa/certmonger/stop_pkicad 
and
-C '/usr/libexec/ipa/certmonger/renew_ca_cert "${nickname}"'

I've rolled back time and I'm waiting for certmonger to refresh
those certs:

Request ID '20160630083224':
        status: MONITORING
        subject: CN=CA Audit,O=PIPEBREAKER.PL
        expires: 2015-11-06 09:42:50 UTC
Request ID '20160630083226':
        status: MONITORING
        subject: CN=CA Subsystem,O=PIPEBREAKER.PL
        expires: 2015-11-06 09:42:49 UTC
Request ID '20160630083227':
        status: MONITORING
        subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
        expires: 2017-10-25 15:20:52 UTC
root@okda ca$ date
Thu Nov  5 11:39:41 CET 2015

It's been 2 hours and certificates are still not refreshed.


 
> > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing 
> > already expired CA certificate) didn't
> >     make into FreeIPA 4.4.0 alpha. :-(
> 
> This is unrelated. I seriously doubt your CA is near expiration (my guess is
> it expires in 2033).

  I'm not sure about CA certificate itself, but "CA Subsystem" certificate is 
expired.
As far as I understand, 1752 is about refreshing certs by going directly 
through socket,
mitigating expired certificates.

-- 
Tomasz Torcz                "Funeral in the morning, IDE hacking
xmpp: zdzich...@chrome.pl    in the afternoon and evening." - Alan Cox

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Reply via email to