Thank you, Florence Things are getting worse...
I'm on the following version and CentOS 7 and two replicas sh-4.2# ipa --version VERSION: 4.6.8, API_VERSION: 2.237 ipa-cert-fix fails with The ipa-cert-fix command failed, exception: RuntimeError: Failed to get Server-Cert Indeed, it doesn't present in /etc/httpd/alias though still it presents in /etc/pki/pki-tomcat/alias I went through the suggested document and nothing seems to work. Manual renew via ipa-getcert resubmit also fails with different errors such as status: MONITORING ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"; replied: 1: Request 9980034 Not Found status: CA_UNREACHABLE ca-error: Error setting up ccache for "host" service on client using default keytab: Cannot contact any KDC for realm ... I have serious concerns if i can get the cluster back to life. I still manage to revert system time to the point before expiration and have all the IPA services running. However i'm just disoriented at the moment what to fix first, the fact that certificates were not renewed isn't definitely the root cause. Thanks a lot On Tue, May 17, 2022 at 3:18 PM Florence Blanc-Renaud <[email protected]> wrote: > Hi, > > On Mon, May 16, 2022 at 5:19 PM Serge Krawczenko via FreeIPA-users < > [email protected]> wrote: > >> Greetings,all >> >> I've been observing multiple issues for some time, unable to enroll new >> clients etc. >> Finally found out that the possible root cause is the expired Server-Cert >> cert-pki-ca and therefore pki-tomcat service won't start >> >> Here's the output of getcert list -d /etc/pki/pki-tomcat/alias/ >> >> Request ID '20171204131518': >> status: MONITORING >> stuck: no >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB',pin set >> certificate: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert >> cert-pki-ca',token='NSS Certificate DB' >> CA: dogtag-ipa-ca-renew-agent >> issuer: CN=Certificate Authority,O=.... >> subject: CN=.... >> expires: 2022-04-25 17:06:51 UTC >> key usage: >> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >> eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection >> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad >> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert >> cert-pki-ca" >> >> Other certs in /etc/pki/pki-tomcat/alias/ seem to be ok but this one. >> >> which IPA version do you have? The tool ipa-cert-fix was introduced with > ipa 4.7.3+ and may help you solve certificate renewal issues. But before > you start anything, please make sure to identify which server is your CA > renewal master and follow the instructions from > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline > > flo > >> I'd like to understand how to perform the forced update for this one, i >> assume it must be renewed automatically though >> >> I tried to invoke post-save command manually but no luck. >> Appreciate any ideas >> >> >> _______________________________________________ >> FreeIPA-users mailing list -- [email protected] >> To unsubscribe send an email to >> [email protected] >> Fedora Code of Conduct: >> https://docs.fedoraproject.org/en-US/project/code-of-conduct/ >> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines >> List Archives: >> https://lists.fedorahosted.org/archives/list/[email protected] >> Do not reply to spam on the list, report it: >> https://pagure.io/fedora-infrastructure >> >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
