Serge Krawczenko via FreeIPA-users wrote: > Grateful for your response, Rob > > On Tue, May 17, 2022 at 9:41 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > > > sh-4.2# ipa --version > > VERSION: 4.6.8, API_VERSION: 2.237 > > > > ipa-cert-fix fails with The ipa-cert-fix command failed, exception: > > RuntimeError: Failed to get Server-Cert > > Indeed, it doesn't present in /etc/httpd/alias though still it > presents > > in /etc/pki/pki-tomcat/alias > > How did you confirm this, using certutil? I assume the httpd process > won't start? > > > ipactl status > Directory Service: RUNNING > krb5kdc Service: RUNNING > kadmin Service: RUNNING > named Service: RUNNING > httpd Service: RUNNING > ipa-custodia Service: RUNNING > ntpd Service: RUNNING > pki-tomcatd Service: STOPPED > ipa-otpd Service: RUNNING > ipa-dnskeysyncd Service: RUNNING > ipa: INFO: The ipactl command was successful > > httpd process started, but i didn't mention (sorry) i have letsencrypt > certs for httpd installed via ipa-server-certinstall > could this be the reason why the internal certs were not updated? > > > Here's all i have in /etc/httpd/alias > certutil -L -d /etc/httpd/alias/ > > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > <mydomain> IPA CA CT,C,C > CN=R3,O=Let's Encrypt,C=US C,, > <mydomain> IPA CA CT,C,C > CN=ISRG Root X1,O=Internet Security Research Group,C=US C,, > <mydomain> IPA CA CT,C,C > CN=<mydomain> u,u,u (letsencrypt > for my domain) > > Yes, using certutil i can see the absence of Server-Cert in /etc/httpd/alias > Also for some reason when trying to > > getcert list -d /etc/httpd/alias > > I'm only getting this without detailed list > > Number of certificates and requests being tracked: 8.
This is because you aren't tracking a non-existent cert. It's expected. You're running into issue https://pagure.io/freeipa/issue/8600 which was fixed in 4.9+ so you don't have it. You'll need to work around it in the ipa_cert_fix.py code. > While on > > getcert list -d /etc/pki/pki-tomcat/alias > > outputs all the certificates and status > > > > Is the key there: > > certutil -K -d /etc/httpd/alias -f /etc/httpd/alias/pwdfile.txt > > > I have key and i have "Server-Cert cert-pki-ca" in /etc/pki/pki-tomcat/alias > I've even exported "Server-Cert cert-pki-ca" off the /etc/pki/pki-tomcat > alias and imported into > /etc/httpd/alias using p12util I wouldn't recommend doing that. Two different certs for two different purposes. It probably retained the nickname include cert-pki-ca. > Still, ipa-cert-fix is unable to find it: > > ipapython.ipautil: DEBUG: Starting external process > ipapython.ipautil: DEBUG: args=/usr/bin/certutil -d dbm:/etc/httpd/alias > -L -n Server-Cert -a -f /etc/httpd/alias/pwdfile.txt > ipapython.ipautil: DEBUG: Process finished, return code=255 > ipapython.ipautil: DEBUG: stdout= > ipapython.ipautil: DEBUG: stderr=certutil: Could not find cert: Server-Cert > : PR_FILE_NOT_FOUND_ERROR: File not found > > ipapython.admintool: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > line 100, in run > certs, extra_certs = expired_certs(now) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > line 142, in expired_certs > return expired_dogtag_certs(now), expired_ipa_certs(now) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > line 191, in expired_ipa_certs > cert = db.get_cert('Server-Cert') > File "/usr/lib/python2.7/site-packages/ipapython/certdb.py", line 744, > in get_cert > raise RuntimeError("Failed to get %s" % nickname) > > ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: > RuntimeError: Failed to get Server-Cert > ipapython.admintool: ERROR: Failed to get Server-Cert > ipapython.admintool: ERROR: The ipa-cert-fix command failed. > > > > > Is there certmonger tracking for it? > > getcert list -d /etc/httpd/alias > > If there is then you can get a copy of the certificate from > /var/lib/certmonger/requests and try re-installing it with certutil. > Though later you say you can start everything with a date in the past so > this is confusing. > > > certmonger service is running attempts to renew certificates permanently > but fails > i can see requests for valid ID's in /var/lib/certmonger/requests but > they still not processed (probably my attempts to resubmit manually) > > > > > > I went through the suggested document and nothing seems to work. > > > > Manual renew via ipa-getcert resubmit also fails with different errors > > such as > > status: MONITORING > > ca-error: Server at "https://hostname:8443/ca/agent/ca/profileProcess"; > > replied: 1: Request 9980034 Not Found > > On which certificate? > > > Request ID '20171204131516': > status: MONITORING > ca-error: Server at "https://myhostname:8443/ca/agent/ca/profileProcess"; > replied: 1: Request 9980034 Not Found > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent-selfsigned > expires: 2041-12-28 08:53:41 UTC > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > > And there's no errors for others in /etc/pki/pki-tomcat/alias You'll need to manually make a change in /usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit to not renew by serial. You'll find this section of code around line 200: args = ([paths.DOGTAG_IPA_RENEW_AGENT_SUBMIT, "--cafile", paths.IPA_CA_CRT, "--certfile", paths.RA_AGENT_PEM, "--keyfile", paths.RA_AGENT_KEY] + sys.argv[1:] + ['--submit-option', "requestor_name=IPA"]) add: args += ['-N'] I'd recommend making this change first, then modify ipa-cert-fix to not check for the Apache Server-Cert and that may do it. rob > > > status: CA_UNREACHABLE > > ca-error: Error setting up ccache for "host" service on client using > > default keytab: Cannot contact any KDC for realm ... > > This can happen if all of IPA is not running. certmonger uses the host > keytab to authentication to the IPA API. > > > ok we ignore this for now. > > The certificates which were not renewed are: > > "ocspSigningCert cert-pki-ca" > "subsystemCert cert-pki-ca" > "Server-Cert cert-pki-ca" > > What else should i try? > > > > > rob > > Great thanks > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
