Hello. I contact you because I have a problem of expired certificates on my IPA servers.
I'm still using IPA 3.0.0 for the moment. # ipa-getcert list Number of certificates and requests being tracked: 8. Request ID '20160321140609': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-<REALM>/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-<REALM>',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:09 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140642': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:06:41 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Request ID '20160321140750': status: CA_UNREACHABLE ca-error: Server at https://<HOST>/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=<REALM> subject: CN=<HOST>,O=<REALM> expires: 2018-03-22 14:07:50 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Because of this, unfortunately, the commands ipa user-show etc.. does not work anymore. I wonder if IPA itself work well or not when we have this certificate problem ? Anyway, I came back in time, to before the certificates expire : ### service ntpd stop date --set="2018-03-10 10:00:00" ### And then I tried to renew these certificates with certmonger : ### # ipa-getcert resubmit -i 20160321140609 Resubmitting "20160321140609" to "IPA". # ipa-getcert resubmit -i 20160321140642 Resubmitting "20160321140642" to "IPA". # ipa-getcert resubmit -i 20160321140750 Resubmitting "20160321140750" to "IPA". ### But, it didn't change anything, the certificate are still expired :(. I have the following error message in httpd log when I perform a resubmit. ### [Sat Mar 10 11:29:18 2018] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): Unable to communicate with CMS (Not Found) [Sat Mar 10 11:29:18 2018] [error] ipa: INFO: host/<HOST>@<REALM>: cert_request(u'MIIDwjCCAqoCAQAwPTEQMA4GA1UEChMHQkRGREVWMjEpMCcGA1UEAxMgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDr7BrPDFwenvnTLYPx29WEcsELc94+XcCm8fZSnr749/OGcqfqwurwH6NehL0eZjW7+uwtl3l3SJ1XIrUL4DDQ7b46EQh39hXRCepAIjfAFL2QVc1OEMtcGU2ahFk6Qoh+0ERr2zUMzV968IaebICzsHFyDedbM1lekOZKCpmgdhKi4JJM2IRXQggFsJGfoePfh7inj5VsLplC1Lkx22ka3I/8TiXdfUp0mzZQkXD3B3HTDy5hubhYeUXDwayqLQP6Wu0GHWwko2tlWZPCpg7Hfk+f1Wfu2XIb7JfbRscG/4C2bJNiTaGx7fqb3JDVnrOWEdEWZ2Lug+h6aBNa18oZAgMBAAGgggE+MCUGCSqGSIb3DQEJFDEYHhYAUwBlAHIAdgBlAHIALQBDAGUAcgB0MIIBEwYJKoZIhvcNAQkOMYIBBDCCAQAwDgYDVR0PAQEABAQDAgTwMIGbBgNVHREBAQAEgZAwgY2gPQYKKwYBBAGCNxQCA6AvDC1sZGFwL2R2YmRma2IyMS5yb3Vlbi5mcmFuY2V0ZWxlY29tLmZyQEJERkRFVjKgTAYGKwYBBQICoEIwQKAJGwdCREZERVYyoTMwMaADAgEBoSowKBsEbGRhcBsgZHZiZGZrYjIxLnJvdWVuLmZyYW5jZXRlbGVjb20uZnIwIAYDVR0lAQEABBYwFAYIKwYBBQUHAwEGCCsGAQUFBwMCMAwGA1UdEwEB/wQCMAAwIAYDVR0OAQEABBYEFBa5zjLzw1wh3+5Mask290q98ZOxMA0GCSqGSIb3DQEBCwUAA4IBAQBx55mJOaAL0z4w8PzND8IgfdusTS2F1YsdfeMtoERl++n1kEvU0W0AmcQ9i9POiDx1+wTvhiVkdvrc18r6FKxHUjKDPkdEZ61jW9vuXY+uzFdQzbezOQ842n2vhmapgLX9WQrdv7iE+CLTn3sA3pNnbg4M6mL77CUPo7VJgiaNIuj4y7GCaAnUFrjyje93KBYDdsV2FLUoCblzE14DMmbxa1ApskYhskaPkbmvuiVWdsejsaPG3vYPZw+mZhhoKKeB8eenVIFqLmj42Cc8nZghgw6gqDj9aB3vj+wVhba2jFFLMqp8NB9oohHSb4wAY8zceU6ygKyO1MhTaqy+GSPo', principal=u'ldap/<HOST>@<REALM>', add=True): CertificateOperationError ### The CA service is running : ### # service ipa status Directory Service: RUNNING KDC Service: RUNNING KPASSWD Service: RUNNING MEMCACHE Service: RUNNING HTTP Service: RUNNING CA Service: RUNNING ### I wonder what I could do ? Thank you in advance for your help. BR. Lune
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org