Hey Rob, This worked like a charm, I just had to --force the command, the [email protected] is running properly. Although when i check with getcert list the certificates still have problems connecting to CA:
ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. And this is for all certificates, can you point me how to fix this, so those certificates can be renewed normally? On Mon, Feb 24, 2025 at 6:41 PM Rob Crittenden <[email protected]> wrote: > I don't know the safest way to address this. Someone tried to deploy a > standalone OCSP server about two weeks ago based on the dates. > > I'm guessing the installation failed. I wasn't able to add one to an IPA > server on RHEL 9.5. > > There be dragons if you attempt the following. I'd recommend a full > system backup prior to starting. > > Normally to remove a subsystem you'd run: pkidestroy -s OCSP -i pki-tomcat > > But that failed for me because there was no registry for the OCSP > service (because installation failed). But still run it. It may do some > things before it dies. > > Manually remove cruft left over: > > rm -rf /etc/pki/pki-tomcat/ocsp > rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp > rm -rf /var/lib/pki/pki-tomcat/ocsp > rm -rf /var/log/pki/pki-tomcat/ocsp > > Edit /etc/pki/pki-tomcat/server.xml > > Find certificateKeyAlias="sslserver" > > Replace sslserver with Server-Cert cert-pki-ca > > The CA at least starts now. I did a couple of test operations and things > seem to be working ok but who knows for sure. > > rob > > Yavor Marinov wrote: > > Hey Rob, > > > > The directory is there but I don't remember to enable OCSP service. Here > > is the content of the directory > > > > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp > > total 0 > > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> > > /etc/pki/pki-tomcat/ocsp > > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> > > /var/log/pki/pki-tomcat/ocsp > > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> > > /etc/sysconfig/pki/tomcat/pki-tomcat > > > > > > > > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > Yavor Marinov via FreeIPA-users wrote: > > > Hello all, > > > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my certificates will > > > expire soon on 18st of March, I had to check and renew them. But > > > upon trying I saw that all tracked certificates are reporting that > > they > > > couldn't connect to server. Further checking I've found that > > > [email protected] is not running and the error which > the > > > service produces looking like this: > > > > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: ERROR: Error reading file > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to > load > > > external entity > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: Traceback (most recent call last): > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line > > 41, in > > > <module> > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: cli.execute(sys.argv) > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", > > line 144, > > > in execute > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: super().execute(args) > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, > > in execute > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: module.execute(module_args) > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", line > 98, > > > in execute > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: instance.init() > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", line > > 1124, in > > > init > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: super().init() > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > 380, in init > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: self.enable_subsystems() > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > 1256, in > > > enable_subsystems > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: subsystem.enable() > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line > > 685, in > > > enable > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: self.instance.deploy_webapp( > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > 1011, in > > > deploy_webapp > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: document = etree.parse(descriptor, parser) > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/etree.pyx", line 3521, in > > > lxml.etree.parse > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1862, in > > > lxml.etree._parseDocument > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1888, in > > > lxml.etree._parseDocumentFromURL > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1792, in > > > lxml.etree._parseDocFromFile > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1180, in > > > lxml.etree._BaseParser._parseDocFromFile > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 618, in > > > lxml.etree._ParserContext._handleParseResultDoc > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 728, in > > > lxml.etree._handleParseResult > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: File "src/lxml/parser.pxi", line 655, in > > > lxml.etree._raiseParseError > > > Feb 24 14:01:22 login.example.net <http://login.example.net> > > <http://login.example.net> > > > pki-server[1243031]: OSError: Error reading file > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to > load > > > external entity > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > > > Any help will be much appreciated as I have to upgrade the > > certificates > > > within a month. > > > > Did someone try to enable a standalone OCSP service? > > > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? > > > > rob > > > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
