[Freeipa-users] Re: Renewing a failed to auto-renewal certificate

Wed, 16 Sep 2020 04:52:47 -0700 

On 9/16/20 11:42 AM, Stuart McRobert via FreeIPA-users wrote:

Dear flo,


At this point you also need to restart pki:
Thanks, restarted and resubmitted the request, then wait, but sadly I guess something else may also need attention? 

Best wishes

Stuart
---------------------------------------------------------------------------------------------------------------- 

[root@freeipa01 ~]# systemctl status [email protected][email protected] - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: disabled)    Active: active (running) since Wed 2020-09-16 09:03:41 BST; 1 months 0 days left   Process: 1236 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS) 
  Main PID: 1353 (java)
     Tasks: 91 (limit: 4915)
   CGroup: /system.slice/system-pki\x2dtomcatd.slice/[email protected]            └─1353 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -Djava.library.path=/usr/lib64/nuxwd
Aug 16 09:42:58 freeipa01.our_domain server[1353]: Aug 16, 2020 9:42:58 AM org.apache.catalina.core.ContainerBase bac Aug 16 09:42:58 freeipa01.our_domain server[1353]: WARNING: Exception processing realm com.netscape.cms.tomcat.ProxyR Aug 16 09:42:58 freeipa01.our_domain server[1353]: javax.ws.rs.ServiceUnavailableException: Subsystem unavailable Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at com.netscape.cms.tomcat.ProxyRealm.backgroundProcess(Pr Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at org.apache.catalina.core.ContainerBase.backgroundProces Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at org.apache.catalina.core.StandardContext.backgroundProc Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at org.apache.catalina.core.ContainerBase$ContainerBackgro Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at org.apache.catalina.core.ContainerBase$ContainerBackgro Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at org.apache.catalina.core.ContainerBase$ContainerBackgro Aug 16 09:42:58 freeipa01.our_domain server[1353]:         at java.lang.Thread.run(Thread.java:748) 
[root@freeipa01 ~]# systemctl restart [email protected]
[root@freeipa01 ~]# systemctl status [email protected][email protected] - PKI Tomcat Server pki-tomcat
   Loaded: loaded (/lib/systemd/system/[email protected]; enabled; vendor preset: disabled) 
    Active: active (running) since Sun 2020-08-16 09:43:19 BST; 3s ago
  Process: 1987 ExecStop=/usr/libexec/tomcat/server stop (code=exited, status=0/SUCCESS)   Process: 2021 ExecStartPre=/usr/bin/pkidaemon start pki-tomcat (code=exited, status=0/SUCCESS) 
  Main PID: 2135 (java)
     Tasks: 17 (limit: 4915)
   CGroup: /system.slice/system-pki\x2dtomcatd.slice/[email protected]            └─2135 /usr/lib/jvm/jre-1.8.0-openjdk/bin/java -DRESTEASY_LIB=/usr/share/java/resteasy -Djava.library.path=/usr/lib64/nuxwd
Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.catalina.startup.HostConfig dep Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catal Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.jasper.servlet.TldScanner scanJ Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: At least one JAR was scanned for TLDs yet contained no TLDs. Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.catalina.startup.HostConfig dep Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deployment of configuration descriptor /etc/pki/pki-tomcat/C Aug 16 09:43:22 freeipa01.our_domain server[2135]: Aug 16, 2020 9:43:22 AM org.apache.catalina.startup.HostConfig dep Aug 16 09:43:22 freeipa01.our_domain server[2135]: INFO: Deploying configuration descriptor /etc/pki/pki-tomcat/Catal Aug 16 09:43:22 freeipa01.our_domain server[2135]: SSLAuthenticatorWithFallback: Creating SSL authenticator with fall Aug 16 09:43:22 freeipa01.our_domain server[2135]: SSLAuthenticatorWithFallback: Setting container 
[root@freeipa01 ~]# getcert resubmit -i 20170405152512
Resubmitting "20170405152512" to "IPA".
[root@freeipa01 ~]# sleep 120
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
     status: CA_UNREACHABLE
    ca-error: Server at https://freeipa01.our_domain/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500: Non-2xx response from CA REST API: 500. ). 

Hi,
can you enable debug logs? Create a file /etc/ipa/server.conf with the following content: 
[global]
debug=True

then restart httpd: systemctl restart httpd
and check the content of /var/log/httpd/error_log when you run the getcert resubmit command. This may provide additional information, around a line with "cert_request(..."
The operation should also be visible in /var/log/pki/pki-tomcat/localhost_access_log.$DATE.txt with "POST ca/rest/certrequests?..." and in /var/log/pki/pki-tomcat/ca/debug. 

flo

     stuck: no
    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'     certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' 
     CA: IPA
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=freeipa01.our_domain,O=OUR_DOMAIN
     expires: 2020-09-04 17:46:56 BST
     principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_httpd
     track: yes
     auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 09:46:26 BST 2020
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
     status: CA_UNREACHABLE
    ca-error: Server at https://freeipa01.our_domain/ipa/xml failed request, will retry: 4035 (RPC failed at server.  Request failed with status 500: Non-2xx response from CA REST API: 500. ). 
     stuck: no
    key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'     certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' 
     CA: IPA
     issuer: CN=Certificate Authority,O=OUR_DOMAIN
     subject: CN=freeipa01.our_domain,O=OUR_DOMAIN
     expires: 2020-09-04 17:46:56 BST
     principal name: HTTP/freeipa01.our_domain@OUR_DOMAIN
    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment 
     eku: id-kp-serverAuth,id-kp-clientAuth
     pre-save command:
     post-save command: /usr/libexec/ipa/certmonger/restart_httpd
     track: yes
     auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 09:53:16 BST 2020
[root@freeipa01 ~]#

_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to