Hi, On Thu, Mar 20, 2025 at 10:06 PM Petros Triantafyllidis via FreeIPA-users < [email protected]> wrote:
> Hi, > I have two IPA servers 4.10.2-8.el9_3 (fserver & mserver) running Rocky > 9.3. I realized that some of the most recently created users, had problems > logging in. One strange thing was that when listing their home directory, > in place of owner there was their uidnumber instead their username. > One of the servers (mserver) fails to start pki-tomcat and suspected a > certificate issue (some show expiration a month ago). Below I show some > info (sanitized) and I could use some help: > > *[root@fserver]# ipa-healthcheck* > Internal server error 503 Server Error: Service Unavailable for url: > https://mserver.example.com:443/ca/rest/certs/search?size=3 > [ > { > "source": "pki.server.healthcheck.clones.connectivity_and_data", > "check": "ClonesConnectivyAndDataCheck", > "result": "ERROR", > "uuid": "ae2033bb-9595-4907-8b6d-0db6d13813c3", > "when": "20250320202815Z", > "duration": "0.605725", > "kw": { > "status": "ERROR: pki-tomcat : Internal error testing CA clone. > Host: mserver.example.com Port: 443" > } > }, > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "ERROR", > "uuid": "cd8ecc04-1e11-4229-b0e9-605fc08cc2af", > "when": "20250320202818Z", > "duration": "0.381935", > "kw": { > "key": "DSREPLLE0003", > "items": [ > "Replication", > "Agreement" > ], > "msg": "The replication agreement (metomserver.example.com) under > \"dc=IPA,dc=ss,dc=lan\" is not in synchronization.\nStatus message: error > (18) can't acquire replica (incremental update transient warning. backing > off, will retry update later.)" > } > }, > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "ERROR", > "uuid": "2178f7ef-f4fc-426f-a4c4-f357c3540baa", > "when": "20250320202818Z", > "duration": "0.381965", > "kw": { > "key": "DSREPLLE0003", > "items": [ > "Replication", > "Agreement" > ], > "msg": "The replication agreement (catomserver.example.com) under > \"o=ipaca\" is not in synchronization.\nStatus message: error (18) can't > acquire replica (incremental update transient warning. backing off, will > retry update later.)" > } > } > > > =================================================================================== > > *[root@mserver ~]# ipa-healthcheck * > Expired Cert: ocsp_signing > Expired Cert: subsystem > Expired Cert: audit_signing > Internal server error HTTPConnectionPool(host='mserver.example.com', > port=8080): Max retries exceeded with url: > /ca/rest/securityDomain/domainInfo (Caused by > NewConnectionError('<urllib3.connection.HTTPConnection object at > 0x7f1a6ea9c6d0>: Failed to establish a new connection: [Errno 111] > Connection refused')) > Internal server error HTTPSConnectionPool(host='mserver.example.com', > port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused > by NewConnectionError('<urllib3.connection.HTTPSConnection object at > 0x7f1a6e9194f0>: Failed to establish a new connection: [Errno 111] > Connection refused')) > [ > { > "source": "ipahealthcheck.meta.services", > "check": "pki_tomcatd", > "result": "ERROR", > "uuid": "1f169946-8a47-4d93-ae38-f8072abf82e1", > "when": "20250320203343Z", > "duration": "0.000577", > "kw": { > "status": false, > "msg": "pki_tomcatd: not running" > } > }, > { > "source": "pki.server.healthcheck.certs.expiration", > "check": "CASystemCertExpiryCheck", > "result": "ERROR", > "uuid": "d659a57c-f625-462d-b6d5-1a60d8216953", > "when": "20250320203344Z", > "duration": "0.143464", > "kw": { > "cert_id": "ocsp_signing", > "expiry_date": "Feb 17 2025", > "msg": "Certificate has ALREADY EXPIRED" > } > }, > { > "source": "pki.server.healthcheck.certs.expiration", > "check": "CASystemCertExpiryCheck", > "result": "ERROR", > "uuid": "7232e7cb-3cc2-4ff2-9953-954ef2e5d3b9", > "when": "20250320203344Z", > "duration": "0.280452", > "kw": { > "cert_id": "subsystem", > "expiry_date": "Feb 17 2025", > "msg": "Certificate has ALREADY EXPIRED" > } > }, > { > "source": "pki.server.healthcheck.certs.expiration", > "check": "CASystemCertExpiryCheck", > "result": "ERROR", > "uuid": "117eece4-37dd-45cb-bf6c-acdfa29fb525", > "when": "20250320203344Z", > "duration": "0.349712", > "kw": { > "cert_id": "audit_signing", > "expiry_date": "Feb 17 2025", > "msg": "Certificate has ALREADY EXPIRED" > } > }, > { > "source": "pki.server.healthcheck.meta.connectivity", > "check": "DogtagCACertsConnectivityCheck", > "result": "CRITICAL", > "uuid": "bb5c2f08-e28e-47d7-9752-404f83fb67a8", > "when": "20250320203345Z", > "duration": "0.035959", > "kw": { > "msg": "Internal server error. Is your CA subsystem and LDAP > database up?", > "instance_name": "pki-tomcat", > "exception": "HTTPSConnectionPool(host='mserver.example.com', > port=8443): Max retries exceeded with url: /ca/admin/ca/getStatus (Caused > by NewConnectionError('<urllib3.connection.HTTPSConnection object at > 0x7f1a6e9194f0>: Failed to establish a new connection: [Errno 111] > Connection refused'))" > } > }, > { > "source": "ipahealthcheck.dogtag.ca", > "check": "DogtagCertsConnectivityCheck", > "result": "ERROR", > "uuid": "2c134180-e055-41fe-bd8e-8aa9ca4f56a6", > "when": "20250320203346Z", > "duration": "0.423802", > "kw": { > "key": "cert_show_ra", > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/41': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "serial": "41", > "msg": "Request for certificate failed: {error}" > } > }, > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "ERROR", > "uuid": "55b716e8-43e9-44b0-8764-4263d283dc2d", > "when": "20250320203347Z", > "duration": "0.346086", > "kw": { > "key": "DSREPLLE0003", > "items": [ > "Replication", > "Agreement" > ], > "msg": "The replication agreement (metofserver.example.com) under > \"dc=IPA,dc=ss,dc=lan\" is not in synchronization.\nStatus message: error > (18) can't acquire replica (incremental update transient warning. backing > off, will retry update later.)" > } > }, > { > "source": "ipahealthcheck.ds.replication", > "check": "ReplicationCheck", > "result": "ERROR", > "uuid": "37bc48b0-7eca-4576-8e61-b30b1bde621b", > "when": "20250320203347Z", > "duration": "0.346109", > "kw": { > "key": "DSREPLLE0003", > "items": [ > "Replication", > "Agreement" > ], > "msg": "The replication agreement (catofserver.example.com) under > \"o=ipaca\" is not in synchronization.\nStatus message: error (18) can't > acquire replica (incremental update transient warning. backing off, will > retry update later.)" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertmongerExpirationCheck", > "result": "ERROR", > "uuid": "3170174f-6bb6-4afc-82f0-a795791036ed", > "when": "20250320203347Z", > "duration": "0.010887", > "kw": { > "key": "20240325182332", > "expiration_date": "20250217085937Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertmongerExpirationCheck", > "result": "ERROR", > "uuid": "727c67e4-f647-4942-b9f4-2861ffd244a8", > "when": "20250320203347Z", > "duration": "0.013823", > "kw": { > "key": "20240325182333", > "expiration_date": "20250217085837Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertmongerExpirationCheck", > "result": "ERROR", > "uuid": "83c634aa-24d0-41df-88c3-401a0ce804f4", > "when": "20250320203347Z", > "duration": "0.016737", > "kw": { > "key": "20240325182337", > "expiration_date": "20250217085847Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertmongerExpirationCheck", > "result": "ERROR", > "uuid": "d8ff80a5-f947-48a2-b97c-078becf2f8f9", > "when": "20250320203347Z", > "duration": "0.019678", > "kw": { > "key": "20240325182339", > "expiration_date": "20250217085927Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertfileExpirationCheck", > "result": "ERROR", > "uuid": "31b38213-3510-4a6d-b01f-4aef8f01fdfe", > "when": "20250320203347Z", > "duration": "0.059710", > "kw": { > "key": "20240325182332", > "expiration_date": "20250217085937Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertfileExpirationCheck", > "result": "ERROR", > "uuid": "140abdf2-c6a6-4f5a-9c4e-1381ad9ffef2", > "when": "20250320203347Z", > "duration": "0.103873", > "kw": { > "key": "20240325182333", > "expiration_date": "20250217085837Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertfileExpirationCheck", > "result": "ERROR", > "uuid": "bb70dc48-0382-43a5-80c9-1303302d0332", > "when": "20250320203347Z", > "duration": "0.148327", > "kw": { > "key": "20240325182337", > "expiration_date": "20250217085847Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertfileExpirationCheck", > "result": "ERROR", > "uuid": "d7c88743-8fb3-4793-b193-5e7a6a963e4b", > "when": "20250320203348Z", > "duration": "0.192067", > "kw": { > "key": "20240325182339", > "expiration_date": "20250217085927Z", > "msg": "Request id {key} expired on {expiration_date}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPAOpenSSLChainValidation", > "result": "ERROR", > "uuid": "faab3d0d-c726-4d93-a4fd-b3f47cbee7a0", > "when": "20250320203351Z", > "duration": "0.016884", > "kw": { > "key": "/var/lib/ipa/ra-agent.pem", > "reason": "O = IPA.SS.LAN, CN = IPA RA\nerror 10 at 0 depth lookup: > certificate has expired\nerror /var/lib/ipa/ra-agent.pem: verification > failed\n", > "msg": "Certificate validation for {key} failed: {reason}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "c962600a-5f2e-4000-995e-0d6e2c51bf6c", > "when": "20250320203351Z", > "duration": "0.438354", > "kw": { > "key": "20240325182332", > "serial": 41, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/41': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "524f71a3-92aa-424c-a660-f48efef17684", > "when": "20250320203351Z", > "duration": "0.513622", > "kw": { > "key": "20240325182333", > "serial": 37, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/37': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "c2f9fc6f-0561-45e9-aa2b-c741b893a173", > "when": "20250320203351Z", > "duration": "0.591474", > "kw": { > "key": "20240325182337", > "serial": 38, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/38': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "a373bde5-64bd-4cdb-9db1-4b9a565f6d60", > "when": "20250320203351Z", > "duration": "0.667891", > "kw": { > "key": "20240325182339", > "serial": 40, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/40': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "4adb473e-4604-4f6b-85de-aeda264b2bfd", > "when": "20250320203352Z", > "duration": "0.749218", > "kw": { > "key": "20240325182340", > "serial": 1, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/1': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "3cd2e311-a4cc-47a1-86fa-c80ae7c35535", > "when": "20250320203352Z", > "duration": "0.826249", > "kw": { > "key": "20240325182341", > "serial": 805175299, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/805175299': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "3355e9e4-e18d-48b5-9a1f-018ea8a02018", > "when": "20250320203352Z", > "duration": "0.865347", > "kw": { > "key": "20240325182024", > "serial": 805175298, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/805175298': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "43779b90-74cd-4db1-a1b2-19b30f1400ac", > "when": "20250320203352Z", > "duration": "0.947838", > "kw": { > "key": "20240325182004", > "serial": 805175297, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/805175297': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > }, > { > "source": "ipahealthcheck.ipa.certs", > "check": "IPACertRevocation", > "result": "ERROR", > "uuid": "76a26aa3-c56f-4984-8abc-c5113d25f2e2", > "when": "20250320203352Z", > "duration": "0.992108", > "kw": { > "key": "20240325182408", > "serial": 268304393, > "error": "cannot connect to ' > https://mserver.example.com:443/ca/rest/certs/268304393': [SSL: > SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired > (_ssl.c:2633)", > "msg": "Request for certificate serial number {serial} in request > {key} failed: {error}" > } > } > ] > > > =================================================================================== > > *[root@mserver]# ipactl -d status* > > [...] > > ipa-custodia Service: RUNNING > ipa: DEBUG: request POST > http://mserver.example.com:8080/ca/admin/ca/getStatus > ipa: DEBUG: request body '' > ipa: DEBUG: httplib request failed: > Traceback (most recent call last): > File "/usr/lib/python3.9/site-packages/ipapython/dogtag.py", line 271, > in _httplib_request > conn.request(method, path, body=request_body, headers=headers) > File "/usr/lib64/python3.9/http/client.py", line 1285, in request > self._send_request(method, url, body, headers, encode_chunked) > File "/usr/lib64/python3.9/http/client.py", line 1331, in _send_request > self.endheaders(body, encode_chunked=encode_chunked) > File "/usr/lib64/python3.9/http/client.py", line 1280, in endheaders > self._send_output(message_body, encode_chunked=encode_chunked) > File "/usr/lib64/python3.9/http/client.py", line 1040, in _send_output > self.send(msg) > File "/usr/lib64/python3.9/http/client.py", line 980, in send > self.connect() > File "/usr/lib64/python3.9/http/client.py", line 946, in connect > self.sock = self._create_connection( > File "/usr/lib64/python3.9/socket.py", line 844, in create_connection > raise err > File "/usr/lib64/python3.9/socket.py", line 832, in create_connection > sock.connect(sa) > ConnectionRefusedError: [Errno 111] Connection refused > ipa: DEBUG: Failed to check CA status: cannot connect to ' > http://mserver.example.com:8080/ca/admin/ca/getStatus': [Errno 111] > Connection refused > pki-tomcatd Service: STOPPED > [...] > > > =================================================================================== > > *[root@mserver ~]# getcert list* > Number of certificates and requests being tracked: 9. > Request ID '20240325182004': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-SS-LAN/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=mserver.example.com,O=IPA.SS.LAN > issued: 2024-03-25 20:20:06 EET > expires: 2026-03-26 20:20:06 EET > dns: mserver.example.com > principal name: ldap/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv > IPA-SS-LAN > track: yes > auto-renew: yes > Request ID '20240325182024': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/mserver.example.com-443-RSA' > certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=mserver.example.com,O=IPA.SS.LAN > issued: 2024-03-25 20:20:25 EET > expires: 2026-03-26 20:20:25 EET > dns: mserver.example.com,ipa-ca.IPA.SS.LAN > principal name: HTTP/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caIPAserviceCert > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > Request ID '20240325182332': > status: CA_WORKING > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=IPA RA,O=IPA.SS.LAN > issued: 2023-02-28 10:59:37 EET > expires: 2025-02-17 10:59:37 EET > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20240325182333': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=CA Audit,O=IPA.SS.LAN > issued: 2023-02-28 10:58:37 EET > expires: 2025-02-17 10:58:37 EET > key usage: digitalSignature,nonRepudiation > profile: caSignedLogCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20240325182337': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=OCSP Subsystem,O=IPA.SS.LAN > issued: 2023-02-28 10:58:47 EET > expires: 2025-02-17 10:58:47 EET > eku: id-kp-OCSPSigning > profile: caOCSPCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20240325182339': > status: CA_WORKING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=CA Subsystem,O=IPA.SS.LAN > issued: 2023-02-28 10:59:27 EET > expires: 2025-02-17 10:59:27 EET > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > profile: caSubsystemCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20240325182340': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=Certificate Authority,O=IPA.SS.LAN > issued: 2017-06-20 18:03:50 EEST > expires: 2037-06-20 18:03:50 EEST > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > profile: caCACert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20240325182341': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=mserver.example.com,O=IPA.SS.LAN > issued: 2024-03-25 20:22:48 EET > expires: 2026-03-15 20:22:48 EET > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection > profile: caServerCert > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20240325182408': > status: MONITORING > stuck: no > key pair storage: > type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: IPA > issuer: CN=Certificate Authority,O=IPA.SS.LAN > subject: CN=mserver.example.com,O=IPA.SS.LAN > issued: 2024-03-25 20:24:13 EET > expires: 2026-03-26 20:24:13 EET > dns: mserver.example.com > principal name: krbtgt/[email protected] > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-pkinit-KPKdc > profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > > > =================================================================================== > >From your logs, - replication between your servers is broken (could be related to the expired certs or the cause for expired certs...) - on mserver: - PKI server not running - the shared PKI certificates are expired (Feb 17 2025): ra-agent.pem + auditSigningCert cert-pki-ca + ocspSigningCert cert-pki-ca + subsystemCert cert-pki-ca Can you check which server is the CA renewal master? kinit admin ipa config-show | grep renewal IPA CA renewal master: *server.ipa.test* Then you can force the startup of ipa services on mserver: ipactl start --ignore-service-failures At this point, check if the replication is working (for instance with ipa-healthcheck or by creating a user on mserver and ensuring it is present on fserver and vice-versa). Then let us know the situation, depending on your answers you will have to follow one of the sections of https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_certificates_in_idm/renewing-expired-system-certificates-when-idm-is-offline_managing-certificates-in-idm#renewing-expired-system-certificates-when-idm-is-offline_managing-certificates-in-idm flo Thanks in advance, > Petros > > -- > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
