Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-20 Thread Natxo Asenjo
ok, so all certs are renewed (dogldap and http).

On Tue, Sep 20, 2016 at 11:49 AM, Natxo Asenjo 
wrote:

>
>
> On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden 
> wrote:
>
>> Natxo Asenjo wrote:
>>
>>> hi,
>>>
>>>
>>> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden >>
>> Ok, how about we work around the problem.
>>
>
> Gladly ;-)
>
>
>> Since it is failing on the revocation what you might try is removing the
>> userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.
>>
>> I think this will work:
>>
>> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
>> 
>>
>> $ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
>>
>> If this doesn't work you can use ldapmodify to delete the usercertificate
>> value.
>>
>> This will remove the certificate value so there is nothing to revoke and
>> a new cert will be saved (hopefully).
>>
>> Now try to resubmit the request via certmonger.
>>
>> It if works then you can run ipa cert-revooke 
>>
>> It isn't a great answer long-term because it is really just working
>> around the problem but it should get the certs renewed.
>>
>>
> ok, so I restarted the httpd service then I could use ipa service-show:
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
>   Serial Number: 175
>   Serial Number (hex): 0xAF
> bash-4.1$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
> ---
> Modified service "ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl"
> ---
>   Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
>   Managed by: kdc01.unix.iriszorg.nl
>
>
> bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513
> Resubmitting "20121107212513" to "IPA".
> bash-4.1$ sudo getcert list
> Number of certificates and requests being tracked: 8.
> Request ID '20121107212513':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: Failure decoding
> Certificate Signing Request).
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/
> dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
> subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
> expires: 2016-10-12 10:49:24 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
> UNIX-IRISZORG-NL
> track: yes
> auto-renew: yes
>
>
>
> the certificate is gone:
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl
> ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'
>   Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
>   Keytab: True
>   Managed by: kdc01.unix.iriszorg.nl
>
>
> But then I thought, what the hell, let's try again, restarted httpd,
> resubmitted it, and now it did work ;-)
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl
>   Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
>   Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKo
> ZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1
> UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDT
> E4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB
> 0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQ
> EBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1
> snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+
> iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+
> Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/
> k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icx
> R6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaO
> BuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggr
> BgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4Lmly
> aXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQ
> UFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/
> BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZ
> xEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+
> Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS
> 9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+
> En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/
> kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck=
>   Keytab: True
>   Managed by: kdc01.unix.iriszorg.nl
>   Subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
>   Serial Number: 245
>   Serial Number (hex): 0xF5
>   Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
>   Not Before: Tue Sep 

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-20 Thread Natxo Asenjo
On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden  wrote:

> Natxo Asenjo wrote:
>
>> hi,
>>
>>
>> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden >
> Ok, how about we work around the problem.
>

Gladly ;-)


> Since it is failing on the revocation what you might try is removing the
> userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.
>
> I think this will work:
>
> $ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
> 
>
> $ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
>
> If this doesn't work you can use ldapmodify to delete the usercertificate
> value.
>
> This will remove the certificate value so there is nothing to revoke and a
> new cert will be saved (hopefully).
>
> Now try to resubmit the request via certmonger.
>
> It if works then you can run ipa cert-revooke 
>
> It isn't a great answer long-term because it is really just working around
> the problem but it should get the certs renewed.
>
>
ok, so I restarted the httpd service then I could use ipa service-show:

$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
  Serial Number: 175
  Serial Number (hex): 0xAF
bash-4.1$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl
---
Modified service "ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl"
---
  Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
  Managed by: kdc01.unix.iriszorg.nl


bash-4.1$ sudo ipa-getcert resubmit -i
20121107212513   Resubmitting "20121107212513" to
"IPA".
bash-4.1$ sudo getcert list
Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed at
server.  Certificate operation cannot be completed: Failure decoding
Certificate Signing Request).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
expires: 2016-10-12 10:49:24 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv
UNIX-IRISZORG-NL
track: yes
auto-renew: yes



the certificate is gone:
$ ipa service-show ldap/kdc01.unix.iriszorg.nl
ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'
  Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
  Keytab: True
  Managed by: kdc01.unix.iriszorg.nl


But then I thought, what the hell, let's try again, restarted httpd,
resubmitted it, and now it did work ;-)

$ ipa service-show ldap/kdc01.unix.iriszorg.nl
  Principal: ldap/kdc01.unix.iriszorg...@unix.iriszorg.nl
  Certificate:
MIIDrDCCApSgAwIBAgICAPUwDQYJKoZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDTE4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icxR6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaOBuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4LmlyaXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZxEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck=
  Keytab: True
  Managed by: kdc01.unix.iriszorg.nl
  Subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
  Serial Number: 245
  Serial Number (hex): 0xF5
  Issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
  Not Before: Tue Sep 20 08:06:58 2016 UTC
  Not After: Fri Sep 21 08:06:58 2018 UTC
  Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:51:d3:2c:69:84:df
  Fingerprint (SHA1):
e3:0a:66:19:d7:36:fe:c4:ff:58:bf:90:35:3e:0b:31:cb:a0:58:37

So I could revoke the old one:

$ ipa cert-revoke 175
  Revoked: True


and now getcert list shows the certificate 

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-19 Thread Rob Crittenden

Natxo Asenjo wrote:

hi,


On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden > wrote:

The 3 certs you list are the ones that are renewed via the IPA API
(as opposed to the subsystem certs renewed directly by dogtag). I
think the failures are all related. I had someone else report the
CSR decoding failure and he just restarted IPA and that fixes things
for him though it was a rather unsatisfying fix.

What I'd do is this. Assuming each step works, move onto the next.

1. ipa cert-show 1

The serial # picked more or less at random, we're testing
connectivity and that the CA is up and operational.

2. I assume that getcert list | grep expire shows all certs
currently valid? The IPA service certs expire in a month, how about
the CA subsystem certs?

3. Is this the same server having problems talking to the CA due to
the other NSS errors? If so what I'd do is restart httpd then
immediately use ipa-getcert to resubmit the requests to try to get
into that few minute window.

If this is the same box you already have debugging enabled so seeing
what that shows might be helpful.

rob



yes, all certs are valid (see attachment getcert.txt).

So I restarted httpd, I could execute ipa cert-show 1 and get an answer,
inmediately after I run

$ sudo ipa-getcert resubmit -i 20121107212513
Resubmitting "20121107212513" to "IPA".

and now the status is the one you see in the attached getcert.txt file.
The server failed request, will retry.

I do not know if it's important, but I saw that the usercertificate
attribute of the pki user admin was expired.1

I attach the error_log of httpd as well.


Ok, how about we work around the problem.

Since it is failing on the revocation what you might try is removing the 
userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.


I think this will work:

$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial


$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl

If this doesn't work you can use ldapmodify to delete the 
usercertificate value.


This will remove the certificate value so there is nothing to revoke and 
a new cert will be saved (hopefully).


Now try to resubmit the request via certmonger.

It if works then you can run ipa cert-revooke 

It isn't a great answer long-term because it is really just working 
around the problem but it should get the certs renewed.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-16 Thread Petr Vobornik
On 09/16/2016 04:22 PM, Rob Crittenden wrote:
> Natxo Asenjo wrote:
>> hi,
>>
>>
>> On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti > > wrote:
>>
>>
>>
>> On 16.09.2016 09:38, Natxo Asenjo wrote:
>>> hi,
>>>
>>>
>>> On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo
>>> 
>>>
>>> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti
>>> > wrote:
>>>
>>>
>>>
>>> On 15.09.2016 12:44, Natxo Asenjo wrote:
 hi,

 On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
 > wrote:


 Hello,

 usually the most information can be found here
 /var/log/pki/pki-tomcat/ca/debug


 mmm, in this centos 6.8 system that does not exist:

 # ls -l /var/log/pki/pki-tomcat/ca/debug
 ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No
 such file or directory


 I do have a /var/log/pki-ca/debug


>>> Does it contain any information related to your issue?
>>>
>>>
>>> I have tried renewing the certificate:
>>>
>>> ipa-getcert resubmit -i 20121107212513
>>>
>>>
>>> If I grep that file for that request id I find nothing recent,
>>> just in the ipaserver installation log
>>>
>>> # cd /var/log
>>> # grep -ri 20121107212513 *.log
>>> ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
>>> tracking request "20121107212513" added.
>>>
>>> # grep -ri 20121107212513 pki-ca
>>> #
>>>
>>>
>>> Any clues?
>>>
>>>
>>> --
>>> Groeten,
>>> natxo
>>
>>
>> Sorry, I'm quite lost here, maybe somebody from dogtag can help what
>> might be reason of those CA errors
>>
>>
>>
>> do I need to ask in the dogtag list?
> 
> You won't find any errors on this in the dogtag logs because it isn't
> getting that far.
> 
> The 3 certs you list are the ones that are renewed via the IPA API (as
> opposed to the subsystem certs renewed directly by dogtag). I think the
> failures are all related. I had someone else report the CSR decoding
> failure and he just restarted IPA and that fixes things for him though
> it was a rather unsatisfying fix.
> 
> What I'd do is this. Assuming each step works, move onto the next.
> 
> 1. ipa cert-show 1
> 
> The serial # picked more or less at random, we're testing connectivity
> and that the CA is up and operational.
> 
> 2. I assume that getcert list | grep expire shows all certs currently
> valid? The IPA service certs expire in a month, how about the CA
> subsystem certs?
> 
> 3. Is this the same server having problems talking to the CA due to the
> other NSS errors? If so what I'd do is restart httpd then immediately
> use ipa-getcert to resubmit the requests to try to get into that few
> minute window.

The error log from thread [Freeipa-users] ipa: ERROR: Certificate format
error: (SEC_ERROR_LEGACY_DATABASE) The certificate/key database is in an
old, unsupported format." looks like it.

> 
> If this is the same box you already have debugging enabled so seeing
> what that shows might be helpful.
> 
> rob
> 


-- 
Petr Vobornik

-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-16 Thread Rob Crittenden

Natxo Asenjo wrote:

hi,


On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti > wrote:



On 16.09.2016 09:38, Natxo Asenjo wrote:

hi,


On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo


On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti
> wrote:



On 15.09.2016 12:44, Natxo Asenjo wrote:

hi,

On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
> wrote:


Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug


mmm, in this centos 6.8 system that does not exist:

# ls -l /var/log/pki/pki-tomcat/ca/debug
ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No
such file or directory


I do have a /var/log/pki-ca/debug



Does it contain any information related to your issue?


I have tried renewing the certificate:

ipa-getcert resubmit -i 20121107212513


If I grep that file for that request id I find nothing recent,
just in the ipaserver installation log

# cd /var/log
# grep -ri 20121107212513 *.log
ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
tracking request "20121107212513" added.

# grep -ri 20121107212513 pki-ca
#


Any clues?


--
Groeten,
natxo



Sorry, I'm quite lost here, maybe somebody from dogtag can help what
might be reason of those CA errors



do I need to ask in the dogtag list?


You won't find any errors on this in the dogtag logs because it isn't 
getting that far.


The 3 certs you list are the ones that are renewed via the IPA API (as 
opposed to the subsystem certs renewed directly by dogtag). I think the 
failures are all related. I had someone else report the CSR decoding 
failure and he just restarted IPA and that fixes things for him though 
it was a rather unsatisfying fix.


What I'd do is this. Assuming each step works, move onto the next.

1. ipa cert-show 1

The serial # picked more or less at random, we're testing connectivity 
and that the CA is up and operational.


2. I assume that getcert list | grep expire shows all certs currently 
valid? The IPA service certs expire in a month, how about the CA 
subsystem certs?


3. Is this the same server having problems talking to the CA due to the 
other NSS errors? If so what I'd do is restart httpd then immediately 
use ipa-getcert to resubmit the requests to try to get into that few 
minute window.


If this is the same box you already have debugging enabled so seeing 
what that shows might be helpful.


rob

--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project


Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-16 Thread Natxo Asenjo
hi,


On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti  wrote:

>
>
> On 16.09.2016 09:38, Natxo Asenjo wrote:
>
> hi,
>
>
> On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo  
>>
>> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti  wrote:
>>
>>>
>>>
>>> On 15.09.2016 12:44, Natxo Asenjo wrote:
>>>
>>> hi,
>>>
>>> On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti 
>>> wrote:
>>>

 Hello,

 usually the most information can be found here
 /var/log/pki/pki-tomcat/ca/debug

>>>
>>> mmm, in this centos 6.8 system that does not exist:
>>>
>>> # ls -l /var/log/pki/pki-tomcat/ca/debug
>>> ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or
>>> directory
>>>
>>>
>>> I do have a /var/log/pki-ca/debug
>>>
>>>
>>>
>>> Does it contain any information related to your issue?
>>>
>>
>> I have tried renewing the certificate:
>>
>> ipa-getcert resubmit -i 20121107212513
>>
>>
>> If I grep that file for that request id I find nothing recent, just in
>> the ipaserver installation log
>>
>> # cd /var/log
>> # grep -ri 20121107212513 *.log
>> ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New tracking
>> request "20121107212513" added.
>>
>> # grep -ri 20121107212513 pki-ca
>> #
>>
>>
> Any clues?
>
>
> --
> Groeten,
> natxo
>
>
>
> Sorry, I'm quite lost here, maybe somebody from dogtag can help what might
> be reason of those CA errors
>


do I need to ask in the dogtag list?
-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-16 Thread Martin Basti



On 16.09.2016 09:38, Natxo Asenjo wrote:

hi,


On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo 


On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti > wrote:



On 15.09.2016 12:44, Natxo Asenjo wrote:

hi,

On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
> wrote:


Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug


mmm, in this centos 6.8 system that does not exist:

# ls -l /var/log/pki/pki-tomcat/ca/debug
ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such
file or directory


I do have a /var/log/pki-ca/debug



Does it contain any information related to your issue?


I have tried renewing the certificate:

ipa-getcert resubmit -i 20121107212513


If I grep that file for that request id I find nothing recent,
just in the ipaserver installation log

# cd /var/log
# grep -ri 20121107212513 *.log
ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
tracking request "20121107212513" added.

# grep -ri 20121107212513 pki-ca
#


Any clues?


--
Groeten,
natxo



Sorry, I'm quite lost here, maybe somebody from dogtag can help what 
might be reason of those CA errors
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-16 Thread Natxo Asenjo
hi,


On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo 
>
> On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti  wrote:
>
>>
>>
>> On 15.09.2016 12:44, Natxo Asenjo wrote:
>>
>> hi,
>>
>> On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti  wrote:
>>
>>>
>>> Hello,
>>>
>>> usually the most information can be found here
>>> /var/log/pki/pki-tomcat/ca/debug
>>>
>>
>> mmm, in this centos 6.8 system that does not exist:
>>
>> # ls -l /var/log/pki/pki-tomcat/ca/debug
>> ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or
>> directory
>>
>>
>> I do have a /var/log/pki-ca/debug
>>
>>
>>
>> Does it contain any information related to your issue?
>>
>
> I have tried renewing the certificate:
>
> ipa-getcert resubmit -i 20121107212513
>
>
> If I grep that file for that request id I find nothing recent, just in the
> ipaserver installation log
>
> # cd /var/log
> # grep -ri 20121107212513 *.log
> ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New tracking
> request "20121107212513" added.
>
> # grep -ri 20121107212513 pki-ca
> #
>
>
Any clues?


--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-15 Thread Natxo Asenjo
On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti  wrote:

>
>
> On 15.09.2016 12:44, Natxo Asenjo wrote:
>
> hi,
>
> On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti  wrote:
>
>>
>> Hello,
>>
>> usually the most information can be found here
>> /var/log/pki/pki-tomcat/ca/debug
>>
>
> mmm, in this centos 6.8 system that does not exist:
>
> # ls -l /var/log/pki/pki-tomcat/ca/debug
> ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or
> directory
>
>
> I do have a /var/log/pki-ca/debug
>
>
>
> Does it contain any information related to your issue?
>

I have tried renewing the certificate:

ipa-getcert resubmit -i 20121107212513


If I grep that file for that request id I find nothing recent, just in the
ipaserver installation log

# cd /var/log
# grep -ri 20121107212513 *.log
ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New tracking
request "20121107212513" added.

# grep -ri 20121107212513 pki-ca
#








-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-15 Thread Martin Basti



On 15.09.2016 12:44, Natxo Asenjo wrote:

hi,

On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti > wrote:



Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug


mmm, in this centos 6.8 system that does not exist:

# ls -l /var/log/pki/pki-tomcat/ca/debug
ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or 
directory



I do have a /var/log/pki-ca/debug



Does it contain any information related to your issue?




--
--
Groeten,
natxo


-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-15 Thread Natxo Asenjo
hi,

On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti  wrote:

>
> Hello,
>
> usually the most information can be found here
> /var/log/pki/pki-tomcat/ca/debug
>

mmm, in this centos 6.8 system that does not exist:

# ls -l /var/log/pki/pki-tomcat/ca/debug
ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No such file or
directory


I do have a /var/log/pki-ca/debug




-- 
--
Groeten,
natxo
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project

Re: [Freeipa-users] certificates not renewing CA_UNREACHEABLE

2016-09-15 Thread Martin Basti



On 15.09.2016 11:29, Natxo Asenjo wrote:

hi,

one of our master servers has a problem with its certificates:

# getcert list

Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed 
at server.  cannot connect to 
'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': 
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL 

subject: CN=kdc01.unix.iriszorg.nl 
,O=UNIX.IRISZORG.NL 


expires: 2016-10-12 10:49:24 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_dirsrv 
UNIX-IRISZORG-NL

track: yes
auto-renew: yes
Request ID '20121107212532':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed 
at server.  Certificate operation cannot be completed: Failure 
decoding Certificate Signing Request).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL 

subject: CN=kdc01.unix.iriszorg.nl 
,O=UNIX.IRISZORG.NL 


expires: 2016-10-12 10:49:25 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20121107212548':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 4301 (RPC failed 
at server.  Certificate operation cannot be completed: Failure 
decoding Certificate Signing Request).

stuck: yes
key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'

CA: IPA
issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL 

subject: CN=kdc01.unix.iriszorg.nl 
,O=UNIX.IRISZORG.NL 


expires: 2016-10-12 10:49:24 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


Where should I start looking?

In /var/log/httpd/error_log there is nothing of consquence.

--
--
Groeten,
natxo



Hello,

usually the most information can be found here
/var/log/pki/pki-tomcat/ca/debug

Martin
-- 
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project