[Freeipa-users] Re: How To Renew Expired Certificates & pki-tomcatd not starting

Tue, 09 Feb 2021 11:52:03 -0800 

On 2/9/21 10:40 AM, SRM via FreeIPA-users wrote:

First of all thank you for taking time & replying. I thought "ipa-cacert-manage renew" is for renewing 
IPA CA & "ipa-certupdate" is for renewing certificates, so should I use "ipa cert-request" to 
get renew / new certificates. And pki-tomcatd service broke even before certificates got expired with authentication 
error (48). By the way here is the Reddit thread I've created, which has better formatting.

Here is the output of gercert list command: Please note the status of first 6 
changes from SUBMITTING to MONITORING while the status of the last 3 changes 
from SUBMITTING to CA_UNREACHABLE
CA UNREACHABLE may correspond to many different errors but let's check first if the CA is running. What is the output of ipactl status? Can you run "kinit admin; ipa cert-show 1"? 

flo


Number of certificates and requests being tracked: 9.
Request ID '20190129222559':
         status: MONITORING
         stuck: no
         key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key'
         certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=IPA RA,O=ourorg.COM
         expires: 2021-01-18 22:25:59 UTC
         key usage: digitalSignature,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
         post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
         track: yes
         auto-renew: yes
Request ID '20190129222609':
         status: MONITORING
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert 
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=CA Audit,O=ourorg.COM
         expires: 2021-01-18 22:25:41 UTC
         key usage: digitalSignature,nonRepudiation
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"auditSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20190129222610':
         status: MONITORING
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert 
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=OCSP Subsystem,O=ourorg.COM
         expires: 2021-01-18 22:25:41 UTC
         eku: id-kp-OCSPSigning
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert 
"ocspSigningCert cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20190129222611':
         status: MONITORING
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert 
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=CA Subsystem,O=ourorg.COM
         expires: 2021-01-18 22:25:41 UTC
         key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-clientAuth
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert 
cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20190129222612':
         status: MONITORING
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert 
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=Certificate Authority,O=ourorg.COM
         expires: 2039-02-04 17:27:12 UTC
         key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert 
cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20190129222613':
         status: MONITORING
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB',pin set
         certificate: 
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert 
cert-pki-ca',token='NSS Certificate DB'
         CA: dogtag-ipa-ca-renew-agent
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=login1.ourorg.com,O=ourorg.COM
         expires: 2021-01-18 22:25:41 UTC
         dns: login1.ourorg.com
         key usage: digitalSignature,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth
         pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
         post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert 
cert-pki-ca"
         track: yes
         auto-renew: yes
Request ID '20190129222625':
         status: CA_UNREACHABLE
         ca-error: Server at https://login1.ourorg.com/ipa/xml failed request, 
will retry: -504 (libcurl failed to execute the HTTP POST transaction, 
explaining:  TCP connection reset by peer).
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/dirsrv/slapd-ourorg-COM',nickname='Server-Cert',token='NSS
 Certificate DB',pinfile='/etc/dirsrv/slapd-ourorg-COM/pwdfile.txt'
         certificate: 
type=NSSDB,location='/etc/dirsrv/slapd-ourorg-COM',nickname='Server-Cert',token='NSS
 Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=login1.ourorg.com,O=ourorg.COM
         expires: 2021-01-29 22:26:25 UTC
         dns: login1.ourorg.com
         principal name: ldap/[email protected]
         key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv 
ourorg-COM
         track: yes
         auto-renew: yes
Request ID '20190129222654':
         status: CA_UNREACHABLE
         ca-error: Server at https://login1.ourorg.com/ipa/xml failed request, 
will retry: -504 (libcurl failed to execute the HTTP POST transaction, 
explaining:  TCP connection reset by peer).
         stuck: no
         key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
         certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
         CA: IPA
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=login1.ourorg.com,O=ourorg.COM
         expires: 2021-01-29 22:26:54 UTC
         dns: login1.ourorg.com
         principal name: HTTP/[email protected]
         key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-kp-clientAuth
         pre-save command:
         post-save command: /usr/libexec/ipa/certmonger/restart_httpd
         track: yes
         auto-renew: yes
Request ID '20190129222703':
         status: SUBMITTING
         stuck: no
         key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
         certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
         CA: IPA
         issuer: CN=Certificate Authority,O=ourorg.COM
         subject: CN=login1.ourorg.com,O=ourorg.COM
         expires: 2021-01-29 22:27:03 UTC
         principal name: krbtgt/[email protected]
         key usage: 
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
         eku: id-kp-serverAuth,id-pkinit-KPKdc
         pre-save command:
         post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
         track: yes
         auto-renew: yes
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]


_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/[email protected]

Reply via email to