Hi, we have two IPA-Servers (primary and replica) in the same network. Both are running on CentOS7, on 1th January we had the problem that suddenly the authentication didn’t work anymore. During troubleshooting we noticed that the Subsystem CA’s were expired since nearly two years. I don’t know why the error didn’t occurre earlier. At this point we could fix the primary server with the command „ipa-cert-fix“, but the replica couldn’t be included to the FreeIPA anymore. So we decided to install a fresh system - CentOS 7, same IPA version, same IP, same hostname. We could bind the new system without any problems to the exisiting primary server, but when we tried to install the replica service, we got the following error: " RuntimeError: CA configuration failed.
2023-01-26T07:48:34Z DEBUG [error] RuntimeError: CA configuration failed. 2023-01-26T07:48:34Z DEBUG Removing /root/.dogtag/pki-tomcat/ca " In the pki-tomcatd debug log it’s a bit more detailed: " 2023-01-26 08:48:32 [main] SEVERE: LogFile: Attempt to log message "/var/lib/pki/pki-tomcat/logs/ca/signedAudit/ca_audit" to closed log file 0.main - [26/Jan/2023:08:48:32 CET] [14] [6] [AuditEvent=CLIENT_ACCESS_SESSION_TERMINATED][ClientHost=10.150.116.54][ServerHost=10.150.116.54][ServerPort=636][SubjectID=SYSTEM][Outcome=Success][Info=clientAlertSent: CLOSE_NOTIFY] access session terminated when Certificate System acts as client 2023-01-26 08:48:32 [main] SEVERE: Exception sending context initialized event to listener instance of class [org.dogtagpki.server.ca.CAEngine] java.lang.RuntimeException: Unable to start CA engine: Selftest failed: Invalid certificate ocspSigningCert cert-pki-ca: NotAfter: Sun Mar 07 15:49:58 CET 2021 2023-01-26 08:48:32 [main] INFO: Shutting down CA subsystem " As you can see the CA-replication couldn’t be started, as there are expired subsystem CA’s on the primary system which are expired. First we tried to remove the expired subsystem ca certficates from the ldap tree with ldapdelete -x -D "cn=directory manager" -W "cn=44,ou=ca,ou=requests,o=ipaca" and ldapdelete -x -D "cn=directory manager" -W "cn=44,ou=certificateRepository,ou=ca,o=ipaca" as there are newely generated subsystem ca certificates already, but the „ipa-cert-fix“ still reported that these certificates still are expired. This had the effect that the pki-tomcatd didn’t start anymore. As next we also remove the expired certficates from pki-tomcat with /usr/bin/certutil -d sql:/etc/pki/pki-tomcat/alias -D -n 'ocspSigningCert cert-pki-ca' -a -f /etc/pki/pki-tomcat/alias/pwdfile.txt At this point the IPA service starts without any problems and the „ipa-cert-fix“ doesn’t show any expired certificates anymore, but when we tried to initialize the replica it still tries to repllicate the old expired certificates ending in an http 404 error. Now we’ve reached a point where we just don’t have any more ideas. I hope somebody has an idea and can help. If you need some more informations and/or logs, we can deliver them at any time! Thanks in advance! Best regards _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
