Grateful for your response, Rob
On Tue, May 17, 2022 at 9:41 PM Rob Crittenden <[email protected]> wrote:
>
> > sh-4.2# ipa --version
> > VERSION: 4.6.8, API_VERSION: 2.237
> >
> > ipa-cert-fix fails with The ipa-cert-fix command failed, exception:
> > RuntimeError: Failed to get Server-Cert
> > Indeed, it doesn't present in /etc/httpd/alias though still it presents
> > in /etc/pki/pki-tomcat/alias
>
> How did you confirm this, using certutil? I assume the httpd process
> won't start?
>
>
ipactl status
Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: STOPPED
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful
httpd process started, but i didn't mention (sorry) i have letsencrypt
certs for httpd installed via ipa-server-certinstall
could this be the reason why the internal certs were not updated?
Here's all i have in /etc/httpd/alias
certutil -L -d /etc/httpd/alias/
Certificate Nickname Trust
Attributes
SSL,S/MIME,JAR/XPI
<mydomain> IPA CA CT,C,C
CN=R3,O=Let's Encrypt,C=US C,,
<mydomain> IPA CA CT,C,C
CN=ISRG Root X1,O=Internet Security Research Group,C=US C,,
<mydomain> IPA CA CT,C,C
CN=<mydomain> u,u,u (letsencrypt for
my domain)
Yes, using certutil i can see the absence of Server-Cert in /etc/httpd/alias
Also for some reason when trying to
getcert list -d /etc/httpd/alias
I'm only getting this without detailed list
Number of certificates and requests being tracked: 8.
While on
getcert list -d /etc/pki/pki-tomcat/alias
outputs all the certificates and status
> Is the key there:
>
> certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt
>
>
I have key and i have "Server-Cert cert-pki-ca" in /etc/pki/pki-tomcat/alias
I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat
alias and imported into
/etc/httpd/alias using p12util
Still, ipa-cert-fix is unable to find it:
ipapython.ipautil: DEBUG: Starting external process
ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias -L
-n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt
ipapython.ipautil: DEBUG: Process finished, return code=255
ipapython.ipautil: DEBUG: stdout=
ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert
: PR_FILE_NOT_FOUND_ERROR: File not found
ipapython.admintool: DEBUG: File
"/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in
execute
return_value = self.run()
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
100, in run
certs, extra_certs = expired_certs(now)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
142, in expired_certs
return expired_dogtag_certs(now), expired_ipa_certs(now)
File
"/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", line
191, in expired_ipa_certs
cert = db.get_cert('Server-Cert')
File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, in
get_cert
raise RuntimeError("Failed to get %s" % nickname)
ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception:
RuntimeError: Failed to get Server-Cert
ipapython.admintool: ERROR: Failed to get Server-Cert
ipapython.admintool: ERROR: The ipa-cert-fix command failed.
> Is there certmonger tracking for it?
>
> getcert list -d /etc/httpd/alias
>
> If there is then you can get a copy of the certificate from
> /var/lib/certmonger/requests and try re-installing it with certutil.
> Though later you say you can start everything with a date in the past so
> this is confusing.
>
>
certmonger service is running attempts to renew certificates permanently
but fails
i can see requests for valid ID's in /var/lib/certmonger/requests but they
still not processed (probably my attempts to resubmit manually)
> > I went through the suggested document and nothing seems to work.
> >
> > Manual renew via ipa-getcert resubmit also fails with different errors
> > such as
> > status: MONITORING
> > ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess";
> > replied: 1: Request 9980034 Not Found
>
> On which certificate?
>
>
Request ID '20171204131516':
status: MONITORING
ca-error: Server at "https://myhostname:8443/ca/agent/ca/profileProcess";
replied: 1: Request 9980034 Not Found
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent-selfsigned
expires: 2041-12-28 08:53:41 UTC
post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
And there's no errors for others in /etc/pki/pki-tomcat/alias
> status: CA_UNREACHABLE
> > ca-error: Error setting up ccache for "host" service on client using
> > default keytab: Cannot contact any KDC for realm ...
>
> This can happen if all of IPA is not running. certmonger uses the host
> keytab to authentication to the IPA API.
>
>
ok we ignore this for now.
The certificates which were not renewed are:
"ocspSigningCert cert-pki-ca"
"subsystemCert cert-pki-ca"
"Server-Cert cert-pki-ca"
What else should i try?
> rob
>
> Great thanks
_______________________________________________
FreeIPA-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
