Hello Florence,
> the tool ipa-cacert-manage is used to renew IPA CA certificate, not the > https certificate. It is a common mistake (IPA CA certificate is the > certificate authority that has delivered the https and ldaps certificates). Yes > But now that you have renewed the CA certificate, you need to distribute > this new cert on all the machines by calling (on each IPA client or server): > $ sudo kinit admin > $ sudo ipa-certupdate > Actually I reverted the ipa-cacert-manage action by using a backup. So obviously it did not fix my problem, but it was not the cause either. The weird thing was tha the SSL certificate was not tracked. I updated manually the certificate using certutil/ and could start tracking it. But the LDAP server certificate was also expired. [Fraser is currently trying to help me with that. ] My currrent situation is that I try to get the LDAP certificate to be tracked by ipa-getcert so that it gets renewed, but it fails: %ipa-getcert start-tracking -d /etc/dirsrv/slapd-QUARTZBIO-COM/ -n Server-Cert -p /etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt -K ldap/ [email protected] -D ipa.quartzbio.com Request ID '20170731130244': status: MONITORING ca-error: Unable to determine principal name for signing request. stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-QUARTZBIO-COM/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-QUARTZBIO-COM',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=QUARTZBIO.COM subject: CN=ipa.quartzbio.com,O=QUARTZBIO.COM expires: 2017-07-09 09:42:28 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: track: yes auto-renew: yes Thanks for your help. Karl > > The https and ldaps certificates should be automatically renewed by > certmonger. There was probably an issue during the automatic cert renewal, > you can find more information in the journal log and using certmonger's > tool: > $ sudo getcert list > > This will provide you with a list of certificates tracked by certmonger, > along with their expiration date (in front of the tag "expires: "). Please > check which certificates are expired, and the error message that can help > troubleshoot. > > You can find troubleshooting tips here [1] and there [2]. > Flo > > [1] https://floblanc.wordpress.com/2016/12/19/troubleshooting-ce > rtmonger-issues-with-freeipa/ > [2] https://access.redhat.com/solutions/643753 > > So it seemed to went well. I tried to restart ipa but it failed: >> # ipactl start >> Starting Directory Service >> Starting krb5kdc Service >> Starting kadmin Service >> Starting named Service >> Starting ipa_memcached Service >> Starting httpd Service >> Job for httpd.service failed because the control process exited with >> error code. See "systemctl status httpd.service" and "journalctl -xe" >> for details. >> Failed to start httpd Service >> Shutting down >> >> >> What went wrong ? I'm running in a freeipa-server docker on a linux >> server... >> It is quite a big deal since I can not run my master freeipa anymore >> even from a backup ! >> >> Moreover, even after starting from a backup of the ipa data, the httpd >> service still fails. >> Could it be caused by the replica server ? >> >> Thanks. >> >> logs >> === >> >> >> # systemctl status httpd.service >> * httpd.service - The Apache HTTP Server >> Loaded: loaded (/usr/lib/systemd/system/httpd.service) >> Drop-In: /usr/lib/systemd/system/httpd.service.d >> `-abc.conf >> Active: failed (Result: exit-code) since Tue 2017-07-11 17:21:57 >> CEST; 3min 52s ago >> Process: 28719 ExecStopPost=/usr/bin/kdestroy -A (code=exited, >> status=0/SUCCESS) >> Process: 28717 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND >> (code=exited, status=1/FAILURE) >> Process: 28716 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy >> (code=exited, status=0/SUCCESS) >> Main PID: 28717 (code=exited, status=1/FAILURE) >> >> Jul 11 17:21:56 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> Starting The Apache HTTP Server... >> Jul 11 17:21:56 ipa.quartzbio.com <http://ipa.quartzbio.com> >> ipa-httpd-kdcproxy[28716]: ipa : INFO KDC proxy enabled >> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> httpd.service: Main process exited, code=exited, status=1/FAILURE >> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> Failed to start The Apache HTTP Server. >> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> httpd.service: Unit entered failed state. >> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> httpd.service: Failed with result 'exit-code'. >> Jul 11 17:21:57 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> Stopped The Apache HTTP Server. >> >> >> and (excerpt from journalctl -xe) >> >> -- The start-up result is done. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> polkitd[28301]: Unregistered Authentication Agent for >> unix-process:28918:604682378 (system bus >> name :1.41, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, >> locale C) (disconnected from bus) >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> polkitd[28301]: Registered Authentication Agent for >> unix-process:28932:604682393 (system bus na >> me :1.42 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path >> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> systemd-hwdb-update.service: Cannot add dependency job, ignoring: Unit >> systemd-hwdb >> -update.service is masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> dev-hugepages.mount: Cannot add dependency job, ignoring: Unit >> dev-hugepages.mount >> is masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> ldconfig.service: Cannot add dependency job, ignoring: Unit >> ldconfig.service is mas >> ked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> swap.target: Cannot add dependency job, ignoring: Unit swap.target is >> masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> sys-fs-fuse-connections.mount: Cannot add dependency job, ignoring: Unit >> sys-fs-fus >> e-connections.mount is masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> local-fs.target: Cannot add dependency job, ignoring: Unit >> local-fs.target is maske >> d. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> systemd-update-done.service: Cannot add dependency job, ignoring: Unit >> systemd-upda >> te-done.service is masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> slices.target: Cannot add dependency job, ignoring: Unit slices.target >> is masked. >> >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> dnf-makecache.timer: Cannot add dependency job, ignoring: Unit >> dnf-makecache.timer >> is masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> fedora-autorelabel-mark.service: Cannot add dependency job, ignoring: >> Unit fedora-a >> utorelabel-mark.service is masked. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> rpcbind.socket: Cannot add dependency job, ignoring: Unit rpcbind.socket >> is masked. >> >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> Starting The Apache HTTP Server... >> -- Subject: Unit httpd.service has begun start-up >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel> >> -- >> -- Unit httpd.service has begun starting up. >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: >> not found >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: sending notifies >> (serial 1499786955) >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: zone 70.9.10.in-addr.arpa/IN: loaded serial >> 1499786955 >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: sending notifies >> (serial 1499786955) >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: zone 0.17.172.in-addr.arpa/IN: loaded serial >> 1499786955 >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: zone quartzbio.com/IN <http://quartzbio.com/IN>: >> sending notifies (serial 1499786955) >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: zone quartzbio.com/IN <http://quartzbio.com/IN>: >> loaded serial 1499786955 >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: 3 master zones from LDAP instance 'ipa' loaded (3 >> zones defined, 0 inactive, 0 f >> ailed to load) >> Jul 11 17:29:15 ipa.quartzbio.com <http://ipa.quartzbio.com> >> named-pkcs11[28910]: checkhints: unable to get root NS rrset from cache: >> not found >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> >> ns-slapd[28813]: GSSAPI client step 1 >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> >> ns-slapd[28813]: GSSAPI client step 1 >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> >> ipa-httpd-kdcproxy[28938]: ipa : INFO KDC proxy enabled >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> httpd.service: Main process exited, code=exited, status=1/FAILURE >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> Failed to start The Apache HTTP Server. >> -- Subject: Unit httpd.service has failed >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel> >> -- >> -- Unit httpd.service has failed. >> -- >> -- The result is failed. >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> httpd.service: Unit entered failed state. >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> httpd.service: Failed with result 'exit-code'. >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> >> polkitd[28301]: Unregistered Authentication Agent for >> unix-process:28932:604682393 (system bus >> name :1.42, object path /org/freedesktop/PolicyKit1/AuthenticationAgent, >> locale C) (disconnected from bus) >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> >> polkitd[28301]: Registered Authentication Agent for >> unix-process:28944:604682474 (system bus na >> me :1.43 [/usr/bin/pkttyagent --notify-fd 5 --fallback], object path >> /org/freedesktop/PolicyKit1/AuthenticationAgent, locale C) >> Jul 11 17:29:16 ipa.quartzbio.com <http://ipa.quartzbio.com> systemd[1]: >> Stopping Kerberos 5 KDC... >> -- Subject: Unit krb5kdc.service has begun shutting down >> -- Defined-By: systemd >> -- Support: http://lists.freedesktop.org/mailman/listinfo/systemd-devel >> <http://lists.freedesktop.org/mailman/listinfo/systemd-devel> >> >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] >> rahosted.org >> >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
