Yavor Marinov wrote: > Hey Rob, > > After restarting certmonger all certificates are monitored, thanks a lot > for your guidance. > One more question - do I need to renew those certificates, or will they > be renewed automatically?
It depends on how the certificates were issued. Certificates issued and tracked by certmonger should now be renewed. It normally uses a back-off algo to try renewals: 28 days, 14 days, ... With the CA being unreachable some may be in the queue to try again sooner. If the certificates were issued manually, like using request certificate in the web UI or ipa cert-request on the cli then it's up to the requestor to handle renewal. rob > > On Tue, Feb 25, 2025 at 4:03 PM Rob Crittenden <[email protected] > <mailto:[email protected]>> wrote: > > Yavor Marinov wrote: > > Actually.. it's really strange, because I see 36 certificates tracked > > from the webinterface of FreeIPA, but when i do getcert list i see > only > > 12 certificates tracked and most of them are with status > CA_UNREACHABLE, > > the most important question is... will i have problem with those > > certificates when they start to expire? Is there a way to cleanup all > > certificates from IPA which are not in use by the system itself as > > it seems there are issues with the certificates? > > certmonger uses a queueing system so it doesn't spam the CA with > requests. If you want to try to force a renewal you can restart the > certmonger service. > > Not all certificates are tracked by certmonger on a given machine. This > is expected. Those other 24 certificates may belong to an IPA replica or > to some other service you've issued certificates for. > > rob > > > getcert list | egrep '^Request|status:|subject:|expires:|ca-error:' > > > > Request ID '20230329162435': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=IPA RA,O=EXAMPLE.NET <http://EXAMPLE.NET> > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:54:35 IST > > Request ID '20230329162440': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=CA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:22 IST > > Request ID '20230329162442': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=OCSP Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:03 IST > > Request ID '20230329162443': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=CA Subsystem,O=EXAMPLE.NET <http://EXAMPLE.NET> > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:15 IST > > Request ID '20230329162444': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=Certificate Authority,O=EXAMPLE.NET > <http://EXAMPLE.NET> <http://EXAMPLE.NET> > > expires: 2043-03-29 21:52:55 IST > > Request ID '20230329162445': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > <http://login.EXAMPLE.net>,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:53:10 IST > > Request ID '20230329162450': > > status: MONITORING > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > <http://login.EXAMPLE.net>,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > expires: 2025-03-29 21:54:52 IST > > Request ID '20230329162523': > > status: MONITORING > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > <http://login.EXAMPLE.net> > > expires: 2025-03-27 12:12:44 IST > > Request ID '20230329162529': > > status: MONITORING > > subject: CN=login.EXAMPLE.net <http://login.EXAMPLE.net> > <http://login.EXAMPLE.net>,O=EXAMPLE.NET <http://EXAMPLE.NET> > > <http://EXAMPLE.NET> > > expires: 2025-03-29 21:55:30 IST > > Request ID '20230329163030': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=KRA Audit,O=EXAMPLE.NET <http://EXAMPLE.NET> > <http://EXAMPLE.NET> > > expires: 2025-03-18 21:59:33 IST > > Request ID '20230329163031': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=KRA Transport Certificate,O=EXAMPLE.NET > <http://EXAMPLE.NET> <http://EXAMPLE.NET> > > expires: 2025-03-18 21:59:21 IST > > Request ID '20230329163033': > > status: CA_UNREACHABLE > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't connect > > to server. > > subject: CN=KRA Storage Certificate,O=EXAMPLE.NET > <http://EXAMPLE.NET> <http://EXAMPLE.NET> > > expires: 2025-03-18 21:59:27 IST > > > > On Tue, Feb 25, 2025 at 9:48 AM Yavor Marinov <[email protected] > <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > Hey Rob, > > > > This worked like a charm, I just had to --force the command, > > the [email protected] is running properly. Although > > when i check with getcert list the certificates still have > problems > > connecting to CA: > > > > ca-error: Error 7 connecting to > > http://login.example.net:8080/ca/ee/ca/profileSubmit: Couldn't > > connect to server. > > > > And this is for all certificates, can you point me how to fix > this, > > so those certificates can be renewed normally? > > > > On Mon, Feb 24, 2025 at 6:41 PM Rob Crittenden > <[email protected] <mailto:[email protected]> > > <mailto:[email protected] <mailto:[email protected]>>> wrote: > > > > I don't know the safest way to address this. Someone tried to > > deploy a > > standalone OCSP server about two weeks ago based on the dates. > > > > I'm guessing the installation failed. I wasn't able to add one > > to an IPA > > server on RHEL 9.5. > > > > There be dragons if you attempt the following. I'd > recommend a full > > system backup prior to starting. > > > > Normally to remove a subsystem you'd run: pkidestroy -s > OCSP -i > > pki-tomcat > > > > But that failed for me because there was no registry for > the OCSP > > service (because installation failed). But still run it. > It may > > do some > > things before it dies. > > > > Manually remove cruft left over: > > > > rm -rf /etc/pki/pki-tomcat/ocsp > > rm -rf /etc/sysconfig/pki/tomcat/pki-tomcat/ocsp > > rm -rf /var/lib/pki/pki-tomcat/ocsp > > rm -rf /var/log/pki/pki-tomcat/ocsp > > > > Edit /etc/pki/pki-tomcat/server.xml > > > > Find certificateKeyAlias="sslserver" > > > > Replace sslserver with Server-Cert cert-pki-ca > > > > The CA at least starts now. I did a couple of test operations > > and things > > seem to be working ok but who knows for sure. > > > > rob > > > > Yavor Marinov wrote: > > > Hey Rob, > > > > > > The directory is there but I don't remember to enable OCSP > > service. Here > > > is the content of the directory > > > > > > [root@login: ~]# ll /var/lib/pki/pki-tomcat/ocsp > > > total 0 > > > lrwxrwxrwx 1 pkiuser pkiuser 24 Feb 12 14:16 conf -> > > > /etc/pki/pki-tomcat/ocsp > > > lrwxrwxrwx 1 pkiuser pkiuser 28 Feb 12 14:16 logs -> > > > /var/log/pki/pki-tomcat/ocsp > > > lrwxrwxrwx 1 pkiuser pkiuser 36 Feb 12 14:16 registry -> > > > /etc/sysconfig/pki/tomcat/pki-tomcat > > > > > > > > > > > > On Mon, Feb 24, 2025 at 4:49 PM Rob Crittenden > > <[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>> > > > <mailto:[email protected] <mailto:[email protected]> > <mailto:[email protected] <mailto:[email protected]>>>> wrote: > > > > > > Yavor Marinov via FreeIPA-users wrote: > > > > Hello all, > > > > > > > > I'm using FreeIPA 4.12 on AlmaLinux and since my > > certificates will > > > > expire soon on 18st of March, I had to check and renew > > them. But > > > > upon trying I saw that all tracked certificates are > > reporting that > > > they > > > > couldn't connect to server. Further checking I've > found that > > > > [email protected] is not running and the > > error which the > > > > service produces looking like this: > > > > > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: ERROR: Error reading file > > > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > > failed to load > > > > external entity > > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: Traceback (most recent call > last): > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/pkiserver.py", line > > > 41, in > > > > <module> > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: cli.execute(sys.argv) > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/__init__.py", > > > line 144, > > > > in execute > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: super().execute(args) > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > "/usr/lib/python3.9/site-packages/pki/cli/__init__.py", > > line 217, > > > in execute > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: module.execute(module_args) > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/cli/migrate.py", > > line 98, > > > > in execute > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: instance.init() > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/instance.py", > line > > > 1124, in > > > > init > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: super().init() > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", > line > > > 380, in init > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: self.enable_subsystems() > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", > line > > > 1256, in > > > > enable_subsystems > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: subsystem.enable() > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > > "/usr/lib/python3.9/site-packages/pki/server/subsystem.py", line > > > 685, in > > > > enable > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: self.instance.deploy_webapp( > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File > > > > > > "/usr/lib/python3.9/site-packages/pki/server/__init__.py", > line > > > 1011, in > > > > deploy_webapp > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: document = > > etree.parse(descriptor, parser) > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/etree.pyx", line > > 3521, in > > > > lxml.etree.parse > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 1862, in > > > > lxml.etree._parseDocument > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 1888, in > > > > lxml.etree._parseDocumentFromURL > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 1792, in > > > > lxml.etree._parseDocFromFile > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 1180, in > > > > lxml.etree._BaseParser._parseDocFromFile > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 618, in > > > > lxml.etree._ParserContext._handleParseResultDoc > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 728, in > > > > lxml.etree._handleParseResult > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: File "src/lxml/parser.pxi", > line > > 655, in > > > > lxml.etree._raiseParseError > > > > Feb 24 14:01:22 login.example.net > <http://login.example.net> > > <http://login.example.net> <http://login.example.net> > > > <http://login.example.net> > > > > pki-server[1243031]: OSError: Error reading file > > > > > '/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml': > > failed to load > > > > external entity > > "/usr/share/pki/ocsp/conf/Catalina/localhost/ocsp.xml" > > > > > > > > Any help will be much appreciated as I have to > upgrade the > > > certificates > > > > within a month. > > > > > > Did someone try to enable a standalone OCSP service? > > > > > > Does /var/lib/pki/pki-tomcat/ocsp exist? What's in it? > > > > > > rob > > > > > > -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
