Hi, if the replica has a version > ipa 4.6.6, you can use the tool ipa-cert-fix. Start by a backup of the certificate NSS database /etc/pki/pki-tomcat/alias, carefully read the man page and run the tool on the replica. HTH, flo
On Mon, Oct 3, 2022 at 4:59 PM Polavarapu Manideep Sai via FreeIPA-users < [email protected]> wrote: > > Hi Rob, > > As I rechecked one of the certificate i.e. "Server-Cert cert-pki-ca" > found and it was expired and all other certificates are valid > > Can you please share me the correct link / steps to renew only this > certificate, this issue is on Replica server and all other certificates > are valid > > > Request ID '20221003093229': > status: CA_UNREACHABLE > ca-error: Error 60 connecting to > https://dir01.ipa.example.com:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.EXAMPLE.COM > subject: CN=dir01.ipa.example.com,O=IPA.EXAMPLE.COM > expires: 2022-08-31 09:37:04 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > > > > > > -----Original Message----- > From: Rob Crittenden <[email protected]> > Sent: 30 September 2022 20:38 > To: Polavarapu Manideep Sai <[email protected]>; FreeIPA users > list <[email protected]> > Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, > exception: NetworkError: cannot connect to > https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > Polavarapu Manideep Sai wrote: > > Hi Rob, > > > > I didn’t change cert configuration not added any 3rd party > > certificates > > > > Here is the error for "ipa cert-show 1" > > > > [root@hostname ~]# ipa cert-show 1 > > ipa: ERROR: Certificate operation cannot be completed: Unable to > > communicate with CMS (404) > > Well, your CA isn't running. You'll need to look in > /var/log/pki/pki-tomcat/ca/debug.<date>.log. I'd recommend you begin > looking at the last time it started (Initializing subsystem listeners) and > work down. The CA tries really hard to start up and will charge forward > past some errors so reading the log bottom up often won't show the real > problem. > > I'd also re-verify that your certs are valid, getcert list. > > rob > > > > > > > > > > > -----Original Message----- > > From: Rob Crittenden <[email protected]> > > Sent: 30 September 2022 02:00 > > To: Polavarapu Manideep Sai <[email protected]>; FreeIPA users > > list <[email protected]> > > Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, > > exception: NetworkError: cannot connect to > > https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: > > CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > > > > > > CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > > > > > > > > > > Polavarapu Manideep Sai wrote: > >> Hi Rob, > >> > >> Certificates are valid in this case > >> > >> In Replica Server we have upgraded the packages Upgraded version > >> VERSION: 4.6.8, API_VERSION: 2.237 > >> > >> Master Server Version: VERSION: 4.5.0, API_VERSION: 2.228 > >> > >> > >> Note: Any new changes at Replica server not > >> replicating/syncing/populating to master server > >> > >> Master ------> Replica [ Syncing or re-initialization happening ] > >> Master <------ Replica [ Not Syncing/Replicating] > > > > You're getting an error about failed certificate verification. Something > is going wrong. Did you change a cert configuration? Add 3rd party > certificates? > > > > Does ipa cert-show 1 succeed? > > > > Replication may be failing for the same reason, untrusted certificates. > > > > rob > >> > >> > >> > >> -----Original Message----- > >> From: Rob Crittenden <[email protected]> > >> Sent: 29 September 2022 23:18 > >> To: FreeIPA users list <[email protected]> > >> Cc: Polavarapu Manideep Sai <[email protected]> > >> Subject: Re: [Freeipa-users] Help ipa-server-upgrade command failed, > >> exception: NetworkError: cannot connect to > >> https://hostname.ipa.example.com:8443/ca/rest/account/login [SSL: > >> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > >> > >> > >> CAUTION. This email originated from outside the organization. Please > exercise caution before clicking on links or attachments in case of > suspicion or unknown senders. > >> > >> > >> > >> > >> Polavarapu Manideep Sai via FreeIPA-users wrote: > >>> Hi Team, > >>> > >>> > >>> > >>> Facing below error while upgrading the IPA server using > >>> ipa-server-upgrade command > >>> > >>> > >>> > >>> Please let us know the fix if any , let us know if any more details > >>> required on the same > >>> > >>> > >>> > >>> ipa-server-upgrade command failed, exception: NetworkError: cannot > >>> connect to > >>> 'https://hostname.ipa.example.com:8443/ca/rest/account/login': [SSL: > >>> CERTIFICATE_VERIFY_FAILED] certificate verify failed (_ssl.c:618) > >> > >> Some of your certificates are expired. getcert list will show you which. > >> > >> The possible solutions depend on your version of IPA. > >> > >> rob > >> > >> > > > ________________________________ > > DISCLAIMER: The information in this message is confidential and may be > legally privileged. It is intended solely for the addressee. Access to this > message by anyone else is unauthorized. If you are not the intended > recipient, any disclosure, copying, or distribution of the message, or any > action or omission taken by you in reliance on it, is prohibited and may be > unlawful. Please immediately contact the sender if you have received this > message in error. Further, this e-mail may contain viruses and all > reasonable precaution to minimize the risk arising there from is taken by > OnMobile. OnMobile is not liable for any damage sustained by you as a > result of any virus in this e-mail. All applicable virus checks should be > carried out by you before opening this e-mail or any attachment thereto. > Thank you - OnMobile Global Limited. > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
