Serge Krawczenko via FreeIPA-users wrote: > Hello again > I was so hoping the story to end but nope. > > ipa-cert-fix managed to renew one of the certs > but failed on the following ones > > > Enter "yes" to proceed: yes > Proceeding. > ipapython.ipautil: DEBUG: Starting external process > ipapython.ipautil: DEBUG: args=pki-server cert-fix --ldapi-socket > /var/run/slapd-...socket --agent-uid ipara --cert subsystem --cert > ca_ocsp_signing --extra-cert 268304408 --extra-cert 268304410 > ipapython.ipautil: DEBUG: Process finished, return code=1 > ipapython.ipautil: DEBUG: stdout=ERROR: [SSL: > SSLV3_ALERT_HANDSHAKE_FAILURE] sslv3 alert handshake failure (_ssl.c:618) > > ipapython.ipautil: DEBUG: stderr=INFO: Loading password config: > /etc/pki/pki-tomcat/password.conf > INFO: Fixing the following system certs: ['subsystem', 'ca_ocsp_signing'] > INFO: Renewing the following additional certs: ['268304408', '268304410'] > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > INFO: Stopping the instance to proceed with system cert renewal > INFO: Configuring LDAP password authentication > INFO: Setting pkidbuser password via ldappasswd > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > INFO: Selftests disabled for subsystems: ca > INFO: Resetting password for uid=ipara,ou=people,o=ipaca > SASL/EXTERNAL authentication started > SASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth > SASL SSF: 0 > INFO: Starting the instance > INFO: Sleeping for 10 seconds to allow server time to start... > INFO: Requesting new cert for subsystem > INFO: Getting subsystem cert info for ca > INFO: Trying to setup a secure connection to CA subsystem. > INFO: Starting new HTTPS connection (1): myhost.com <http://myhost.com> > INFO: Stopping the instance > INFO: Selftests enabled for subsystems: ca > INFO: Restoring previous LDAP configuration > > ipapython.admintool: DEBUG: File > "/usr/lib/python2.7/site-packages/ipapython/admintool.py", line 178, in > execute > return_value = self.run() > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > line 128, in run > replicate_dogtag_certs(subject_base, ca_subject_dn, certs) > File > "/usr/lib/python2.7/site-packages/ipaserver/install/ipa_cert_fix.py", > line 251, in replicate_dogtag_certs > cert = x509.load_certificate_from_file(cert_path) > File "/usr/lib/python2.7/site-packages/ipalib/x509.py", line 425, in > load_certificate_from_file > with open(filename, mode='rb') as f: > > ipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: > IOError: [Errno 2] No such file or directory: > '/etc/pki/pki-tomcat/certs/subsystem.crt' > ipapython.admintool: ERROR: [Errno 2] No such file or directory: > '/etc/pki/pki-tomcat/certs/subsystem.crt' > ipapython.admintool: ERROR: The ipa-cert-fix command failed. > > The csr for subsystem was added according > to https://access.redhat.com/solutions/4852721 > > At the time of the above failure in /var/log/pki/pki-tomcat/ca/debug: > > [20/May/2022:07:43:59][localhost-startStop-1]: > Certutils.verifySystemCertValidityByNickname: failed : > java.lang.Exception: Certutils.verifySystemCertValidityByNickname: > failed: nickname: ocspSigningCert > cert-pki-ca > [20/May/2022:07:43:59][localhost-startStop-1]: CertUtils: > verifySystemCertsByTag() failed: java.lang.Exception: > Certutils.verifySystemCertValidityByNickname: faliled: nickname: > ocspSigningCert cert-pki-c > acause: java.lang.Exception: > Certutils.verifySystemCertValidityByNickname: failed: nickname: > ocspSigningCert cert-pki-ca > [20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: event > CIMC_CERT_VERIFICATION > [20/May/2022:07:43:59][localhost-startStop-1]: SignedAuditLogger: event > CIMC_CERT_VERIFICATION > java.lang.Exception: Certutils.verifySystemCertValidityByNickname: > faliled: nickname: ocspSigningCert cert-pki-cacause: > java.lang.Exception: Certutils.verifySystemCertValidityByNickname: > failed: nicknam > e: ocspSigningCert cert-pki-ca > at > com.netscape.cmscore.cert.CertUtils.verifySystemCertValidityByNickname(CertUtils.java:839) > > Nothing else suspicious
Which certificate was re-issued successfully? It appears that pki-server-certfix, for which IPA is a wrapper, failed to connect to the server. Whether the OCSP certs errors are related or not I don't know. Does that cert exist in your PKI NSS database? rob _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
