Thank you for explaining this to me, thank you for time spent on this.
I checked pki-tomcat and httpd certificates:
/etc/pki/pki-tomcat/alias
ocspSigningCert cert-pki-ca
Validity:
Not Before: Fri Mar 18 17:47:15 2022
Not After : Thu Mar 07 17:47:15 2024
auditSigningCert cert-pki-ca
Validity:
Not Before: Wed Mar 16 17:47:13 2022
Not After : Tue Mar 05 17:47:13 2024
caSigningCert cert-pki-ca
Validity:
Not Before: Thu May 10 15:56:32 2018
Not After : Mon May 10 15:56:32 2038
Server-Cert cert-pki-ca
Validity:
Not Before: Sat Apr 25 04:47:25 2020
Not After : Fri Apr 15 04:47:25 2022
subsystemCert cert-pki-ca
Validity:
Not Before: Wed Mar 16 17:47:23 2022
Not After : Tue Mar 05 17:47:23 2024
/etc/httpd/alias
ipaCert
Validity:
Not Before: Fri Apr 24 20:57:54 2020
Not After : Thu Apr 14 20:57:54 2022
Server-Cert
Validity:
Not Before: Sat Apr 25 06:11:51 2020
Not After : Tue Apr 26 06:11:51 2022
I set the date March 19 and the pki-tomcat service started correctly.
But after restarting the certmonger service in the logs I see the following
error:
certmonger: 2022-03-19 23:04:05 [30685] Server at
https://freeipa.example.com/ipa/xml failed request, will retry: 4016 (RPC
failed at server. Failed to authenticate to CA REST API).
Also have the following errors in /var/log/httpd/error_log.
[Sat Mar 19 23:03:50.199270 2022] [:error] [pid 30475] raise
errors.RemoteRetrieveError(reason=_('Failed to authenticate to CA REST API'))
[Sat Mar 19 23:03:50.199273 2022] [:error] [pid 30475] RemoteRetrieveError:
Failed to authenticate to CA REST API
[Sat Mar 19 23:03:50.199404 2022] [:error] [pid 30475] ipa: INFO: [xmlserver]
host/[email protected]:
cert_request(u'MIID5jCCAs4CAQAwPzEYMBYGA1UEChMPSU5URVJOQUwuQ0IuQ09NMSMwIQYDVQQDExpwYi1mcmVlaXBhLmludGVybmFsLmNiLmNvbTCCASIwDQYJKoZIhvcNAQEBBQADggEPPDCCAQoDggEBANN1r8MoQo+0e5ntNiKHjstexptSrbS0sB/00WVPTcQuV3jtzVPttqbTmX4T/X5AseJ8w2pZ9BcYYM5p/9neX8iSZ+NheI1P8YDamOzsJRLp/5NHCh/VldDoiK/Jp0ybjWBqJ3tHxgU3+LmP4KRr1d2AcaA8IojVKQXM91WVWQZUenSCDl+LCy2LKN6hx2Gq6VfSVfrftW1rhXzCQ0yFVMvICZajusVFuz7OrBw8m4rBY7l426ZUePQ5ZtPJKIWiMYqGwc7re/jXycqcGQwKySDgpJkEYX8h/fZu6RbprWHVBjIC1wTp+ighP69xsvgAxQuAiMvcglZ9JNBKOWJHttECAwEAAaCCAWAwJQYJKoZIhvcNAQkUMRgeFgBTAGUAcgB2AGUAcgAtAEMAZQByAHQwggE1BgkqhkiG9w0BCQ4xggEmMIIBIjCBuwYDVR0RAQEABIGwMIGtghpwYi1mcmVlaXBhLmludGVybmFsLmNiLmNvbaA/BgorBgEEAYI3FAIDoDEML2xkYXAvcGItZnJlZWlwYS5pbnRlcm5hbC5jYi5jb21ASU5URVJ1QUwuQ0IuQ09NoE4GBisGAQUCAqBEMEKgERsPS25URVJOQUwuQ0IuQ09NoS0wK6ADAgEBoSQwIhsEbGRhcBsacGItZnJlZWlwYS5pbnRlcm5hbC5jYi5jb20wDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQA
EFgQUDWBKnv6QUTkDu955+sVmva1yH68wMgYJKwYBBAGCNxQCAQEABCIeIABjAGEASQBQAEEAcwBlAHIAdgBpAGMAZQBDAGUAcgB6MA0GCSqGSIb3DQEBCwUAA4IBAQCC9aGeovEL6cMlj30oTBDOF6dbsoRq47wiGTk3hBgM/4RaUMCvV8Fn7k0ruT4p/0QDTaVEw2AIYSrenXMz/4fxRLuThtkUTrCcWa3/3WzAruzPD56JmcZUZFBW13JdYZv7bPLExocTTiabBGCYT9MKpys1PiyrMPf26Smv4ZJzxvDH96dtOUkWrxu6v7AWAoOcTeIO9SHL09Hi+1Ol3UShKsRrRpy9XpGjUIn16EzbwU1Rv7eYnyodGHYnfhntVh+FpWUjbXmvQVkUHtCiJOOXrdETdV7BtLJa5LOt72blENm4nFYjQn77HzGtIJQinOdxowBlq+nb3DhnxwZ+SMZ2',
profile_id=u'caIPAserviceCert',
principal=u'ldap/[email protected]', add=True, version=u'2.51'):
RemoteRetrieveError
[Sat Mar 19 23:03:50.199480 2022] [:error] [pid 30475] ipa: DEBUG: response:
RemoteRetrieveError: Failed to authenticate to CA REST API
[Sat Mar 19 23:03:50.200001 2022] [:error] [pid 30475] ipa: DEBUG: Destroyed
connection context.ldap2_139675403642384
[Sat Mar 19 23:04:05.740103 2022] [auth_gssapi:error] [pid 30937] [client
IP_ADDRESS:PORT] NO AUTH DATA Client did not send any authentication headers,
referer: https://freeipa.example.com/ipa/xml
[Sat Mar 19 23:04:05.764944 2022] [:error] [pid 30474] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Sat Mar 19 23:04:05.765013 2022] [:error] [pid 30474] ipa: DEBUG:
KerberosWSGIExecutioner.__call__:
[Sat Mar 19 23:04:05.778436 2022] [:error] [pid 30474] ipa: DEBUG: Created
connection context.ldap2_139675403642384
[Sat Mar 19 23:04:05.778528 2022] [:error] [pid 30474] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Sat Mar 19 23:04:05.779037 2022] [:error] [pid 30474] ipa: DEBUG: raw:
Please help how to fix this errors.
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
