[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

Wed, 16 Sep 2020 01:53:46 -0700 

Dear flo,
Thank you for your help with this, but something still seems to be preventing the renewal from actually happening even after going back in time, and waiting. 


My service slot is open until lunchtime today so hopefully be a quick 
additonal step required to get this fixed.


Any ideas?

Thanks

Best wishes

Stuart




After a reboot...

[root@freeipa01 ~]# ipactl start --ignore-service-failures
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Failed to start httpd Service
Forced start, ignoring httpd Service, continuing normal operation
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service

Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing normal operation
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful

[root@freeipa01 ~]# 
[root@freeipa01 ~]# systemctl stop ntpd.service 
[root@freeipa01 ~]# date

Wed 16 Sep 09:09:19 BST 2020
[root@freeipa01 ~]# date 08160838
Sun 16 Aug 08:38:00 BST 2020
[root@freeipa01 ~]# date
Sun 16 Aug 08:38:04 BST 2020
[root@freeipa01 ~]# systemctl start httpd
[root@freeipa01 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
   Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor 
preset: disabled)
  Drop-In: /etc/systemd/system/httpd.service.d
           └─ipa.conf
   Active: active (running) since Sun 2020-08-16 08:38:33 BST; 7s ago
     Docs: man:httpd.service(8)
  Process: 1221 ExecStopPost=/usr/bin/kdestroy -A (code=exited, 
status=0/SUCCESS)
  Process: 1703 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, 
status=0/SUCCESS)
 Main PID: 1704 (httpd)
   Status: "Processing requests..."
    Tasks: 92 (limit: 4915)
   CGroup: /system.slice/httpd.service
           ├─1704 /usr/sbin/httpd -DFOREGROUND
           ├─1705 /usr/libexec/nss_pcache 589836 off /etc/httpd/alias
           ├─1706 (wsgi:kdcproxy) -DFOREGROUND
           ├─1707 (wsgi:kdcproxy) -DFOREGROUND
           ├─1708 (wsgi:ipa)      -DFOREGROUND
           ├─1709 (wsgi:ipa)      -DFOREGROUND
           ├─1710 /usr/sbin/httpd -DFOREGROUND
           ├─1711 /usr/sbin/httpd -DFOREGROUND
           ├─1712 /usr/sbin/httpd -DFOREGROUND
           ├─1713 /usr/sbin/httpd -DFOREGROUND
           └─1714 /usr/sbin/httpd -DFOREGROUND

Aug 16 08:38:33 freeipa01.OUR_DOMAIN systemd[1]: Starting The Apache HTTP 
Server...
Aug 16 08:38:33 freeipa01.OUR_DOMAIN ipa-httpd-kdcproxy[1703]: ipa         : 
INFO     KDC proxy enabled
Aug 16 08:38:33 freeipa01.OUR_DOMAIN systemd[1]: Started The Apache HTTP Server.
[root@freeipa01 ~]# getcert resubmit -i 20170405152512
Resubmitting "20170405152512" to "IPA".
[root@freeipa01 ~]# sleep 200
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
        status: CA_UNREACHABLE
        ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed 
request, will retry: 4035 (RPC failed at server.  Request failed with status 
500: Non-2xx response from CA REST API: 500. ).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
        subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
        expires: 2020-09-04 17:46:56 BST
        principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 08:43:50 BST 2020

[root@freeipa01 ~]# 
[root@freeipa01 ~]# 
[root@freeipa01 ~]# getcert list -i 20170405152512

Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
        status: CA_UNREACHABLE
        ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed 
request, will retry: 4035 (RPC failed at server.  Request failed with status 
500: Non-2xx response from CA REST API: 500. ).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
        subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
        expires: 2020-09-04 17:46:56 BST
        principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
        status: CA_UNREACHABLE
        ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed 
request, will retry: 4035 (RPC failed at server.  Request failed with status 
500: Non-2xx response from CA REST API: 500. ).
        stuck: no
        key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
        certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
        CA: IPA
        issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
        subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
        expires: 2020-09-04 17:46:56 BST
        principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
        key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
        eku: id-kp-serverAuth,id-kp-clientAuth
        pre-save command:
        post-save command: /usr/libexec/ipa/certmonger/restart_httpd
        track: yes
        auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 08:58:23 BST 2020

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]






















					Reply via email to