Actually.. it's really strange, because I see 36 certificates tracked from the webinterface of FreeIPA, but when i do getcert list i see only 12 certificates tracked and most of them are with status CA_UNREACHABLE, the most important question is... will i have problem with those certificates when they start to expire? Is there a way to cleanup all certificates from IPA which are not in use by the system itself as it seems there are issues with the certificates?
getcert list | egrep '^Request|status:|subject:|expires:|ca-error:' Request ID '20230329162435': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=IPA RA,O=EXAMPLE.NET expires: 2025-03-18 21:54:35 IST Request ID '20230329162440': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=CA Audit,O=EXAMPLE.NET expires: 2025-03-18 21:53:22 IST Request ID '20230329162442': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=OCSP Subsystem,O=EXAMPLE.NET expires: 2025-03-18 21:53:03 IST Request ID '20230329162443': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=CA Subsystem,O=EXAMPLE.NET expires: 2025-03-18 21:53:15 IST Request ID '20230329162444': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=Certificate Authority,O=EXAMPLE.NET expires: 2043-03-29 21:52:55 IST Request ID '20230329162445': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=login.EXAMPLE.net,O=EXAMPLE.NET expires: 2025-03-18 21:53:10 IST Request ID '20230329162450': status: MONITORING subject: CN=login.EXAMPLE.net,O=EXAMPLE.NET expires: 2025-03-29 21:54:52 IST Request ID '20230329162523': status: MONITORING subject: CN=login.EXAMPLE.net expires: 2025-03-27 12:12:44 IST Request ID '20230329162529': status: MONITORING subject: CN=login.EXAMPLE.net,O=EXAMPLE.NET expires: 2025-03-29 21:55:30 IST Request ID '20230329163030': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=KRA Audit,O=EXAMPLE.NET expires: 2025-03-18 21:59:33 IST Request ID '20230329163031': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=KRA Transport Certificate,O=EXAMPLE.NET expires: 2025-03-18 21:59:21 IST Request ID '20230329163033': status: CA_UNREACHABLE ca-error: Error 7 connecting to http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to server. subject: CN=KRA Storage Certificate,O=EXAMPLE.NET expires: 2025-03-18 21:59:27 IST On Tue, Feb 25, 2025 at 9:48 AM Yavor Marinov <[email protected]> wrote: > Hey Rob, > > This worked like a charm, I just had to --force the command, > the [email protected] is running properly. Although when i > check with getcert list the certificates still have problems connecting to > CA: > > ca-error: Error 7 connecting to > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect to > server. > > And this is for all certificates, can you point me how to fix this, so > those certificates can be renewed normally? > > On Mon, Feb 24, 2025 at 6:41 PM Rob Crittenden <[email protected]> > wrote: > >> I don't know the safest way to address this. Someone tried to deploy a >> standalone OCSP server about two weeks ago based on the dates. >> >> I'm guessing the installation failed. I wasn't able to add one to an IPA >> server on RHEL 9.5. >> >> There be dragons if you attempt the following. I'd recommend a full >> system backup prior to starting. >> >> Normally to remove a subsystem you'd run: pkidestroy -s OCSP -i pki-tomcat >> >> But that failed for me because there was no registry for the OCSP >> service (because installation failed). But still run it. It may do some >> things before it dies. >> >> Manually remove cruft left over: >> >> rm -rf /etc/pki/pki-tomcat/ocsp >> rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp >> rm -rf /var/lib/pki/pki-tomcat/ocsp >> rm -rf /var/log/pki/pki-tomcat/ocsp >> >> Edit /etc/pki/pki-tomcat/server.xml >> >> Find certificateKeyAlias="sslserver" >> >> Replace sslserver with Server-Cert cert-pki-ca >> >> The CA at least starts now. I did a couple of test operations and things >> seem to be working ok but who knows for sure. >> >> rob >> >> Yavor Marinov wrote: >> > Hey Rob, >> > >> > The directory is there but I don't remember to enable OCSP service. Here >> > is the content of the directory >> > >> > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp >> > total 0 >> > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> >> > /etc/pki/pki-tomcat/ocsp >> > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> >> > /var/log/pki/pki-tomcat/ocsp >> > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> >> > /etc/sysconfig/pki/tomcat/pki-tomcat >> > >> > >> > >> > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden <[email protected] >> > <mailto:[email protected]>> wrote: >> > >> > Yavor Marinov via FreeIPA-users wrote: >> > > Hello all, >> > > >> > > I'm using FreeIPA 4.12 on AlmaLinux and since my certificates will >> > > expire soon on 18st of March, I had to check and renew them. But >> > > upon trying I saw that all tracked certificates are reporting that >> > they >> > > couldn't connect to server. Further checking I've found that >> > > [email protected] is not running and the error >> which the >> > > service produces looking like this: >> > > >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: ERROR: Error reading file >> > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to >> load >> > > external entity >> "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: Traceback (most recent call last): >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line >> > 41, in >> > > <module> >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: cli.execute(sys.argv) >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", >> > line 144, >> > > in execute >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: super().execute(args) >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", line 217, >> > in execute >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: module.execute(module_args) >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", >> line 98, >> > > in execute >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: instance.init() >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", line >> > 1124, in >> > > init >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: super().init() >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line >> > 380, in init >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: self.enable_subsystems() >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line >> > 1256, in >> > > enable_subsystems >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: subsystem.enable() >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line >> > 685, in >> > > enable >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: self.instance.deploy_webapp( >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File >> > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line >> > 1011, in >> > > deploy_webapp >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: document = etree.parse(descriptor, >> parser) >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/etree.pyx", line 3521, in >> > > lxml.etree.parse >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1862, in >> > > lxml.etree._parseDocument >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1888, in >> > > lxml.etree._parseDocumentFromURL >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1792, in >> > > lxml.etree._parseDocFromFile >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 1180, in >> > > lxml.etree._BaseParser._parseDocFromFile >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 618, in >> > > lxml.etree._ParserContext._handleParseResultDoc >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 728, in >> > > lxml.etree._handleParseResult >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: File "src/lxml/parser.pxi", line 655, in >> > > lxml.etree._raiseParseError >> > > Feb 24 14:01:22 login.example.net <http://login.example.net> >> > <http://login.example.net> >> > > pki-server[1243031]: OSError: Error reading file >> > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': failed to >> load >> > > external entity >> "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" >> > > >> > > Any help will be much appreciated as I have to upgrade the >> > certificates >> > > within a month. >> > >> > Did someone try to enable a standalone OCSP service? >> > >> > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? >> > >> > rob >> > >> >>
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
