Hey Rob, After restarting certmonger all certificates are monitored, thanks a lot for your guidance. One more question - do I need to renew those certificates, or will they be renewed automatically?
On Tue, Feb 25, 2025 at 4:03 PM Rob Crittenden <[email protected]> wrote: > Yavor Marinov wrote: > > Actually.. it's really strange, because I see 36 certificates tracked > > from the webinterface of FreeIPA, but when i do getcert list i see only > > 12 certificates tracked and most of them are with status CA_UNREACHABLE, > > the most important question is... will i have problem with those > > certificates when they start to expire? Is there a way to cleanup all > > certificates from IPA which are not in use by the system itself as > > it seems there are issues with the certificates? > > certmonger uses a queueing system so it doesn't spam the CA with > requests. If you want to try to force a renewal you can restart the > certmonger service. > > Not all certificates are tracked by certmonger on a given machine. This > is expected. Those other 24 certificates may belong to an IPA replica or > to some other service you've issued certificates for. > > rob > > > getcert list | egrep '^Request|status:|subject:|expires:|ca-error:' > > > > Request ID '20230329162435': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=IPA RA,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:54:35 IST > > Request ID '20230329162440': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=CA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:22 IST > > Request ID '20230329162442': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=OCSP Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:03 IST > > Request ID '20230329162443': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=CA Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:15 IST > > Request ID '20230329162444': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=Certificate Authority,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2043-03-29 21:52:55 IST > > Request ID '20230329162445': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net>,O=EXAMPLE.NET > > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:10 IST > > Request ID '20230329162450': > > status: MONITORING > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net>,O=EXAMPLE.NET > > <http://EXAMPLE.NET> > > expires: 2025-03-29 21:54:52 IST > > Request ID '20230329162523': > > status: MONITORING > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > > expires: 2025-03-27 12:12:44 IST > > Request ID '20230329162529': > > status: MONITORING > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net>,O=EXAMPLE.NET > > <http://EXAMPLE.NET> > > expires: 2025-03-29 21:55:30 IST > > Request ID '20230329163030': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=KRA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:59:33 IST > > Request ID '20230329163031': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=KRA Transport Certificate,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:59:21 IST > > Request ID '20230329163033': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=KRA Storage Certificate,O=EXAMPLE.NET <http://EXAMPLE.NET> > > expires: 2025-03-18 21:59:27 IST > > > > On Tue, Feb 25, 2025 at 9:48 AM Yavor Marinov <[email protected] > > <mailto:[email protected]>> wrote: > > > > Hey Rob, > > > > This worked like a charm, I just had to --force the command, > > the [email protected] is running properly. Although > > when i check with getcert list the certificates still have problems > > connecting to CA: > > > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > > connect to server. > > > > And this is for all certificates, can you point me how to fix this, > > so those certificates can be renewed normally? > > > > On Mon, Feb 24, 2025 at 6:41 PM Rob Crittenden <[email protected] > > <mailto:[email protected]>> wrote: > > > > I don't know the safest way to address this. Someone tried to > > deploy a > > standalone OCSP server about two weeks ago based on the dates. > > > > I'm guessing the installation failed. I wasn't able to add one > > to an IPA > > server on RHEL 9.5. > > > > There be dragons if you attempt the following. I'd recommend a > full > > system backup prior to starting. > > > > Normally to remove a subsystem you'd run: pkidestroy -s OCSP -i > > pki-tomcat > > > > But that failed for me because there was no registry for the OCSP > > service (because installation failed). But still run it. It may > > do some > > things before it dies. > > > > Manually remove cruft left over: > > > > rm -rf /etc/pki/pki-tomcat/ocsp > > rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp > > rm -rf /var/lib/pki/pki-tomcat/ocsp > > rm -rf /var/log/pki/pki-tomcat/ocsp > > > > Edit /etc/pki/pki-tomcat/server.xml > > > > Find certificateKeyAlias="sslserver" > > > > Replace sslserver with Server-Cert cert-pki-ca > > > > The CA at least starts now. I did a couple of test operations > > and things > > seem to be working ok but who knows for sure. > > > > rob > > > > Yavor Marinov wrote: > > > Hey Rob, > > > > > > The directory is there but I don't remember to enable OCSP > > service. Here > > > is the content of the directory > > > > > > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp > > > total 0 > > > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> > > > /etc/pki/pki-tomcat/ocsp > > > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> > > > /var/log/pki/pki-tomcat/ocsp > > > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> > > > /etc/sysconfig/pki/tomcat/pki-tomcat > > > > > > > > > > > > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden > > <[email protected] <mailto:[email protected]> > > > <mailto:[email protected] <mailto:[email protected]>>> > wrote: > > > > > > Yavor Marinov via FreeIPA-users wrote: > > > > Hello all, > > > > > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my > > certificates will > > > > expire soon on 18st of March, I had to check and renew > > them. But > > > > upon trying I saw that all tracked certificates are > > reporting that > > > they > > > > couldn't connect to server. Further checking I've found > that > > > > [email protected] is not running and the > > error which the > > > > service produces looking like this: > > > > > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: ERROR: Error reading file > > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > > failed to load > > > > external entity > > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: Traceback (most recent call last): > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line > > > 41, in > > > > <module> > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: cli.execute(sys.argv) > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", > > > line 144, > > > > in execute > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: super().execute(args) > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", > > line 217, > > > in execute > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: module.execute(module_args) > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", > > line 98, > > > > in execute > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: instance.init() > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", line > > > 1124, in > > > > init > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: super().init() > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > > 380, in init > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: self.enable_subsystems() > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > > 1256, in > > > > enable_subsystems > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: subsystem.enable() > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line > > > 685, in > > > > enable > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: self.instance.deploy_webapp( > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", line > > > 1011, in > > > > deploy_webapp > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: document = > > etree.parse(descriptor, parser) > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/etree.pyx", line > > 3521, in > > > > lxml.etree.parse > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 1862, in > > > > lxml.etree._parseDocument > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 1888, in > > > > lxml.etree._parseDocumentFromURL > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 1792, in > > > > lxml.etree._parseDocFromFile > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 1180, in > > > > lxml.etree._BaseParser._parseDocFromFile > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 618, in > > > > lxml.etree._ParserContext._handleParseResultDoc > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 728, in > > > > lxml.etree._handleParseResult > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", line > > 655, in > > > > lxml.etree._raiseParseError > > > > Feb 24 14:01:22 login.example.net > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: OSError: Error reading file > > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > > failed to load > > > > external entity > > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > > > > > Any help will be much appreciated as I have to upgrade > the > > > certificates > > > > within a month. > > > > > > Did someone try to enable a standalone OCSP service? > > > > > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? > > > > > > rob > > > > > > >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
