Juan Pablo Lorier wrote: > Hi Jochen and thanks for your reply. > > My knowledge in CA is not much so I will try to follow as much as I can. > The only error I don’t know if is ok to be there is the kra error > mentioned in the logs. > > What I did was comparing the files in the request directory before and > after the upgrade with the 4 certs in stuck state and the files were the > same. > I then removed the files in the directory and run the upgrade again > which created new files and the new 4 certs again in stuck state. > At last, I fixed the certs and run again the upgrade. > > Here are the fixed certs, dir content, etc for the last try:
A couple of comments. I don't recommend directly removing the certmonger tracking files unless you do it with certmonger stopped. It retains a copy in memory while running. certmonger tracking has nothing to do with the CA state. A bad tracking request can prevent renewal but it won't affect operations of the CA unless the failure to renew allows the certificates to expire which is not true in this case. You should shift focus to the CA debug log to see where the first failure(s) occur during startup. That is most likely to tell you what is going on. rob > > getcert list > Number of certificates and requests being tracked: 9. > Request ID '20200110015908': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:59:28 -03 > expires: 2023-12-13 22:59:28 -03 > principal name: krbtgt/[email protected] > <mailto:krbtgt/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20221202140756': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate > DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=CA Audit,O=TNU.COM.UY > issued: 2021-11-09 15:11:14 -03 > expires: 2023-10-30 15:11:14 -03 > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202140757': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=OCSP Subsystem,O=TNU.COM.UY > issued: 2021-11-09 15:12:03 -03 > expires: 2023-10-30 15:12:03 -03 > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202140758': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate > DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=CA Subsystem,O=TNU.COM.UY > issued: 2021-11-09 15:11:13 -03 > expires: 2023-10-30 15:11:13 -03 > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202140759': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate > DB',pinfile='/etc/pki/pki-tomcat/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=Certificate Authority,O=TNU.COM.UY > issued: 2022-08-26 14:25:16 -03 > expires: 2042-08-26 14:25:16 -03 > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202140800': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-01 22:56:02 -03 > expires: 2023-11-21 22:56:02 -03 > dns: dc2.tnu.com.uy > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202140801': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=IPA RA,O=TNU.COM.UY > issued: 2021-11-09 15:12:27 -03 > expires: 2023-10-30 15:12:27 -03 > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20221202140802': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:10 -03 > expires: 2023-12-13 22:53:10 -03 > dns: dc2.tnu.com.uy > principal name: ldap/[email protected] > <mailto:ldap/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY > track: yes > auto-renew: yes > Request ID '20221202140803': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:26 -03 > expires: 2023-12-13 22:53:26 -03 > dns: dc2.tnu.com.uy > principal name: HTTP/[email protected] > <mailto:HTTP/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > # ll /var/lib/certmonger/requests > total 64 > -rw------- 1 root root 4598 Dec 2 11:27 20221202140756 > -rw------- 1 root root 4785 Dec 2 11:27 20221202140757 > -rw------- 1 root root 4798 Dec 2 11:27 20221202140758 > -rw------- 1 root root 4851 Dec 2 11:27 20221202140759 > -rw------- 1 root root 4983 Dec 2 11:08 20221202140800 > -rw------- 1 root root 4610 Dec 2 11:08 20221202140801 > -rw------- 1 root root 5373 Dec 2 11:08 20221202140802 > -rw------- 1 root root 5272 Dec 2 11:08 20221202140803 > > > > > # cat req_temp/requests/20221202140756 > id=20221202140756 > key_type=RSA > key_gen_type=RSA > key_size=2048 > key_gen_size=2048 > key_next_type=UNSPECIFIED > key_next_gen_type=RSA > key_next_size=0 > key_next_gen_size=2048 > key_preserve=0 > key_storage_type=NSSDB > key_storage_location=/etc/pki/pki-tomcat/alias > key_token=NSS Certificate DB > key_nickname=auditSigningCert cert-pki-ca > key_pin_file=/etc/pki/pki-tomcat/alias/pwdfile.txt > key_perms=0 > key_pubkey=3082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 > key_pubkey_info=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 > key_requested_count=0 > key_issued_count=0 > cert_storage_type=NSSDB > cert_storage_location=/etc/pki/pki-tomcat/alias > cert_token=NSS Certificate DB > cert_nickname=auditSigningCert cert-pki-ca > cert_perms=0 > cert_issuer_der=303531133011060355040A0C0A544E552E434F4D2E5559311E301C06035504030C15436572746966696361746520417574686F72697479 > cert_issuer=CN=Certificate Authority,O=TNU.COM.UY > cert_serial=14 > cert_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 > cert_subject=CN=CA Audit,O=TNU.COM.UY > cert_spki=30820122300D06092A864886F70D01010105000382010F003082010A0282010100ED7F292C336E1F03C6BBE7A5EC8AE21FCE742A8561FD7EC8F81C5645C1ACD110EAF0B0346D4E85ECB14EDA5E7C6EFB061A7321B3C06A48307C81CEB1D9519217A51A528246248B342E0E5EEB1D6115EED86B1836EE2F2D93926D9CC4550CA92868276E2AE46A5416F3E53A717AC376DB6FBD3EAEDBF9F3CA50C208472976F4D4A8761D948C8C85A23155EE06BA4A1C60BE2816D24D399D4C161CB29D625A8F674D54E7BF0A72D6D281F0DE5C09F4FCB98CA1F0958DD782CF7802779F052F2A9D9CB6A18FDA113A9D2782BB6431CFCE4F95DF0E378E3C24DC8E227F459F7AE9046C0577F073B1D9267CAD5540681EB58E4A3E78C67CDB9D7D1A7696284A9F92190203010001 > cert_not_before=20211109181114 > cert_not_after=20231030181114 > cert_ku=11 > cert_is_ca=0 > cert_ca_path_length=-1 > cert_no_ocsp_check=0 > last_need_notify_check=19700101000000 > last_need_enroll_check=19700101000000 > template_subject_der=302831133011060355040A0C0A544E552E434F4D2E55593111300F06035504030C084341204175646974 > template_subject=CN=CA Audit,O=TNU.COM.UY > template_ku=11 > template_is_ca=0 > template_ca_path_length=-1 > template_profile=caSignedLogCert > template_no_ocsp_check=0 > state=MONITORING > autorenew=1 > monitor=1 > ca_name=IPA > submitted=19700101000000 > cert=-----BEGIN CERTIFICATE----- > MIIDKjCCAhKgAwIBAgIBFDANBgkqhkiG9w0BAQsFAD > > > > > > # ipa-server-upgrade > Upgrading IPA:. Estimated time: 1 minute 30 seconds > [1/11]: stopping directory server > [2/11]: saving configuration > [3/11]: disabling listeners > [4/11]: enabling DS global lock > [5/11]: disabling Schema Compat > [6/11]: starting directory server > [7/11]: updating schema > [8/11]: upgrading server > Error caught updating nsDS5ReplicatedAttributeList: Server is unwilling > to perform: Entry and attributes are managed by topology plugin.No > direct modifications allowed. > Error caught updating nsDS5ReplicatedAttributeListTotal: Server is > unwilling to perform: Entry and attributes are managed by topology > plugin.No direct modifications allowed. > [9/11]: stopping directory server > [10/11]: restoring configuration > [11/11]: starting directory server > Done. > Update complete > Upgrading IPA services > Upgrading the configuration of the IPA services > Disabled p11-kit-proxy > [Verifying that root certificate is published] > [Migrate CRL publish directory] > CRL tree already moved > [Verifying that KDC configuration is using ipa-kdb backend] > [Fix DS schema file syntax] > Syntax already fixed > [Removing RA cert from DS NSS database] > RA cert already removed > [Enable sidgen and extdom plugins by default] > [Updating HTTPD service IPA configuration] > [Updating HTTPD service IPA WSGI configuration] > Nothing to do for configure_httpd_wsgi_conf > [Migrating from mod_nss to mod_ssl] > Already migrated to mod_ssl > [Moving HTTPD service keytab to gssproxy] > [Removing self-signed CA] > [Removing Dogtag 9 CA] > [Checking for deprecated KDC configuration files] > [Checking for deprecated backups of Samba configuration files] > dnssec-validation yes > [Add missing CA DNS records] > IPA CA DNS records already processed > named user config '/etc/named/ipa-ext.conf' already exists > named user config '/etc/named/ipa-options-ext.conf' already exists > named user config '/etc/named/ipa-logging-ext.conf' already exists > [Upgrading CA schema] > CA schema update complete > [Update certmonger certificate renewal configuration] > Missing or incorrect tracking request for certificates: > /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca > /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca > /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca > /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca > Certmonger certificate renewal configuration updated > [Enable PKIX certificate path discovery and validation] > PKIX already enabled > [Authorizing RA Agent to modify profiles] > [Authorizing RA Agent to manage lightweight CAs] > [Ensuring Lightweight CAs container exists in Dogtag database] > [Adding default OCSP URI configuration] > [Disabling cert publishing] > pki-tomcat configuration changed, restart pki-tomcat > [Ensuring CA is using LDAPProfileSubsystem] > [Migrating certificate profiles to LDAP] > Migrating profile 'acmeServerCert' > IPA server upgrade failed: Inspect /var/log/ipaupgrade.log and run > command ipa-server-upgrade manually. > Unexpected error - see /var/log/ipaupgrade.log for details: > NetworkError: cannot connect to > 'https://dc2.tnu.com.uy:8443/ca/rest/account/login': [Errno 0] Error > The ipa-server-upgrade command failed. See /var/log/ipaupgrade.log for > more information > > > > > # getcert list > Number of certificates and requests being tracked: 9. > Request ID '20200110015908': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:59:28 -03 > expires: 2023-12-13 22:59:28 -03 > principal name: krbtgt/[email protected] > <mailto:krbtgt/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20221202175657': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202175658': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202175659': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202175700': > status: NEWLY_ADDED_NEED_KEYINFO_READ_PIN > stuck: yes > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca' > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca' > CA: dogtag-ipa-ca-renew-agent > issuer: > subject: > issued: unknown > expires: unknown > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202175701': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-01 22:56:02 -03 > expires: 2023-11-21 22:56:02 -03 > dns: dc2.tnu.com.uy > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221202175702': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=IPA RA,O=TNU.COM.UY > issued: 2021-11-09 15:12:27 -03 > expires: 2023-10-30 15:12:27 -03 > key usage: digitalSignature,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20221202175703': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-TNU-COM-UY',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:10 -03 > expires: 2023-12-13 22:53:10 -03 > dns: dc2.tnu.com.uy > principal name: ldap/[email protected] > <mailto:ldap/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv TNU-COM-UY > track: yes > auto-renew: yes > Request ID '20221202175704': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/dc2.tnu.com.uy-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=TNU.COM.UY > subject: CN=dc2.tnu.com.uy,O=TNU.COM.UY > issued: 2021-12-12 22:53:26 -03 > expires: 2023-12-13 22:53:26 -03 > dns: dc2.tnu.com.uy > principal name: HTTP/[email protected] > <mailto:HTTP/[email protected]> > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > > > > # ll /var/lib/certmonger/requests > total 48 > -rw------- 1 root root 1029 Dec 2 14:56 20221202175658 > -rw------- 1 root root 1021 Dec 2 14:57 20221202175658-1 > -rw------- 1 root root 1020 Dec 2 14:57 20221202175659 > -rw------- 1 root root 1013 Dec 2 14:57 20221202175700 > -rw------- 1 root root 4983 Dec 2 14:57 20221202175701 > -rw------- 1 root root 4610 Dec 2 14:57 20221202175702 > -rw------- 1 root root 5373 Dec 2 14:57 20221202175703 > -rw------- 1 root root 5272 Dec 2 14:57 20221202175704 > > > cat /var/lib/certmonger/requests/20221202175658 > id=20221202175657 > key_type=UNSPECIFIED > key_gen_type=RSA > key_size=0 > key_gen_size=2048 > key_next_type=UNSPECIFIED > key_next_gen_type=RSA > key_next_size=0 > key_next_gen_size=2048 > key_preserve=0 > key_storage_type=NSSDB > key_storage_location=/etc/pki/pki-tomcat/alias > key_nickname=auditSigningCert cert-pki-ca > key_perms=0 > key_requested_count=0 > key_issued_count=0 > cert_storage_type=NSSDB > cert_storage_location=/etc/pki/pki-tomcat/alias > cert_nickname=auditSigningCert cert-pki-ca > cert_perms=0 > cert_is_ca=0 > cert_ca_path_length=0 > cert_no_ocsp_check=0 > last_need_notify_check=19700101000000 > last_need_enroll_check=19700101000000 > template_is_ca=0 > template_ca_path_length=0 > template_profile=caSignedLogCert > template_no_ocsp_check=0 > state=NEWLY_ADDED_NEED_KEYINFO_READ_PIN > autorenew=1 > monitor=1 > ca_name=dogtag-ipa-ca-renew-agent > submitted=19700101000000 > pre_certsave_command=/usr/libexec/ipa/certmonger/stop_pkicad > pre_certsave_uid=0 > post_certsave_command=/usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > post_certsave_uid=0 > > UPGRADELOG: > > > 2022-11-30T16:03:16Z DEBUG stderr= > 2022-11-30T16:03:16Z DEBUG Start of certmonger.service complete > 2022-11-30T16:03:16Z DEBUG Starting external process > 2022-11-30T16:03:16Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] > 2022-11-30T16:03:17Z DEBUG Process finished, return code=1 > 2022-11-30T16:03:17Z DEBUG stdout= > 2022-11-30T16:03:17Z DEBUG stderr=ERROR: ERROR: No kra subsystem in > instance pki-tomcat. > > 2022-11-30T16:03:17Z INFO [Update certmonger certificate renewal > configuration] > 2022-11-30T16:03:17Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2022-11-30T16:03:17Z DEBUG Starting external process > 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', > 'sql:/etc/dirsrv/slapd-TNU-COM-UY/', '-L', '-n', 'Server-Cert', '-a', > '-f', '/etc/dirsrv/slapd-TNU-COM-UY/pwdfile.txt'] > 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 > 2022-11-30T16:03:17Z DEBUG stdout=-----BEGIN CERTIFICATE----- > > Xxxx > > -----END CERTIFICATE----- > > 2022-11-30T16:03:17Z DEBUG stderr= > 2022-11-30T16:03:17Z DEBUG Loading Index file from > '/var/lib/ipa/sysrestore/sysrestore.index' > 2022-11-30T16:03:17Z DEBUG Starting external process > 2022-11-30T16:03:17Z DEBUG args=['/usr/bin/certutil', '-d', > 'sql:/etc/pki/pki-tomcat/alias', '-L', '-f', > '/etc/pki/pki-tomcat/alias/pwdfile.txt'] > 2022-11-30T16:03:17Z DEBUG Process finished, return code=0 > 2022-11-30T16:03:17Z DEBUG stdout= > Certificate Nickname Trust > Attributes > > SSL,S/MIME,JAR/XPI > > subsystemCert cert-pki-ca u,u,u > auditSigningCert cert-pki-ca u,u,Pu > ocspSigningCert cert-pki-ca u,u,u > Server-Cert cert-pki-ca u,u,u > caSigningCert cert-pki-ca CTu,Cu,Cu > TNU.COM.UY IPA CA CTu,Cu,Cu > TNU.COM.UY IPA CA CTu,Cu,Cu > > 2022-11-30T16:03:17Z DEBUG stderr= > 2022-11-30T16:03:19Z INFO Missing or incorrect tracking request for > certificates: > 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:auditSigningCert > cert-pki-ca > 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:ocspSigningCert > cert-pki-ca > 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:subsystemCert > cert-pki-ca > 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:caSigningCert > cert-pki-ca > 2022-11-30T16:03:19Z INFO /etc/pki/pki-tomcat/alias:Server-Cert > cert-pki-ca > 2022-11-30T16:03:19Z INFO /var/lib/ipa/ra-agent.pem > 2022-11-30T16:03:19Z INFO /var/lib/ipa/certs/httpd.crt > 2022-11-30T16:03:19Z DEBUG Configuring certmonger to stop tracking > system certificates for CA > 2022-11-30T16:03:19Z DEBUG Starting external process > 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', > 'dbus.service'] > 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 > 2022-11-30T16:03:19Z DEBUG stdout=active > > 2022-11-30T16:03:19Z DEBUG stderr= > 2022-11-30T16:03:19Z DEBUG Starting external process > 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'start', > 'certmonger.service'] > 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 > 2022-11-30T16:03:19Z DEBUG stdout= > 2022-11-30T16:03:19Z DEBUG stderr= > 2022-11-30T16:03:19Z DEBUG Starting external process > 2022-11-30T16:03:19Z DEBUG args=['/bin/systemctl', 'is-active', > 'certmonger.service'] > 2022-11-30T16:03:19Z DEBUG Process finished, return code=0 > 2022-11-30T16:03:19Z DEBUG stdout=active > > 2022-11-30T16:03:19Z DEBUG stderr= > 2022-11-30T16:03:19Z DEBUG Start of certmonger.service complete > 2022-11-30T16:03:20Z DEBUG Starting external process > 2022-11-30T16:03:20Z DEBUG args=['pki-server', 'subsystem-show', 'kra'] > 2022-11-30T16:03:20Z DEBUG Process finished, return code=1 > 2022-11-30T16:03:20Z DEBUG stdout= > 2022-11-30T16:03:20Z DEBUG stderr=ERROR: ERROR: No kra subsystem in > instance pki-tomcat. > > > >> El 1 dic. 2022, a las 20:14, Jochen Kellner <[email protected] >> <mailto:[email protected]>> escribió: >> >> Juan Pablo Lorier via FreeIPA-users >> <[email protected] >> <mailto:[email protected]>> writes: >> >>> Hi Rob, >>> >>> All dates are good once I add the pin manually. The only problem is >>> the NEWLY_ADDED_NEED_KEYINFO_READ_PIN that appears every time I run >>> the updater. I don’t know what is not right with the certs. Maybe you >>> can point me in a direction to look at the logs. Let me share the >>> getcert list once I manually fixed the pin: >> >> Can you perhaps compare the requests for one certificate before and >> after the upgrade? The requests are stored in >> /var/lib/certmonger/requests. Let's focus on one certificate first, >> for example: >> key pair storage: >> type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert >> cert-pki-ca' >> >> I'd try something like that: >> - save /var/lib/certmonger/requests somewhere >> - try the upgrade once again >> - save /var/lib/certmonger/requests again, somwhere else >> - compare and see what the differences really are >> >> Depending on the differences - and needs some creative thinking: >> - reset the system to the state before the upgrade >> - stop certmonger >> - replace /var/lib/certmonger/requests with the second copy (from after >> the upgrade) >> - We need to get certmonger and ipa-server-upgrade be happy with these >> requests, so the request don't get changed during the next upgrade. >> >> I've had a look at the logs of the last ipaupgrade.log. For each >> certificcate I see: >> 2022-09-02T20:02:24Z INFO [Update certmonger certificate renewal >> configuration] >> ... >> 2022-09-02T20:02:24Z INFO Certmonger certificate renewal configuration >> already up-to-date >> >> I guess the second line for you says something like "...config >> updated". We need to see, if the lines between have some clues for us. >> >> In a post upthread you posted the console output: >> Missing or incorrect tracking request for certificates: >> /etc/pki/pki-tomcat/alias:auditSigningCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:ocspSigningCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:subsystemCert cert-pki-ca >> /etc/pki/pki-tomcat/alias:caSigningCert cert-pki-ca >> Certmonger certificate renewal configuration updated >> >> Also upthread you posted: >>>>>>> 2022-11-30T16:07:49Z DEBUG Profile 'ECAdminCert' is already in >>>>>>> LDAP and >>>>>>> enabled; skipping >>>>>>> 2022-11-30T16:07:49Z INFO Migrating profile 'acmeServerCert' >>>>>>> 2022-11-30T16:07:49Z DEBUG request GET >>>>>>> https://dc2.tnu.com.uy:8443/ca/rest/account/login >>>>>>> 2022-11-30T16:07:49Z DEBUG request body '' >>>>>>> 2022-11-30T16:07:54Z DEBUG httplib request failed: >>>>>>> Traceback (most recent call last): >>>>>>> File "/usr/lib/python3.6/site-packages/ipapython/dogtag.py", line >> >> In my upgrade log this is after updating/checing the certmonger >> requests. So my guess is there's something strange with your >> configuration in /var/lib/certmonger/requests. >> >> So, can you provide more of your ipaupgrade.log where the certmonger >> requests are checked/updated and one request before/after? >> >> Jochen >> >> -- >> This space is intentionally left blank. > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
