Hi,
On Thu, Mar 20, 2025 at 10:06 PM Petros Triantafyllidis via
FreeIPA-users <[email protected]> wrote:
Hi,
I have two IPA servers 4.10.2-8.el9_3 (fserver & mserver) running
Rocky 9.3. I realized that some of the most recently created
users, had problems logging in. One strange thing was that when
listing their home directory, in place of owner there was their
uidnumber instead their username.
One of the servers (mserver) fails to start pki-tomcat and
suspected a certificate issue (some show expiration a month ago).
Below I show some info (sanitized) and I could use some help:
*[root@fserver]# ipa-healthcheck*
Internal server error 503 Server Error: Service Unavailable for
url: https://mserver.example.com:443/ca/rest/certs/search?size=3
<https://mserver.example.com:443/ca/rest/certs/search?size=3>
[
{
"source": "pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "ae2033bb-9595-4907-8b6d-0db6d13813c3",
"when": "20250320202815Z",
"duration": "0.605725",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing CA
clone. Host: mserver.example.com <http://mserver.example.com>
Port: 443"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "cd8ecc04-1e11-4229-b0e9-605fc08cc2af",
"when": "20250320202818Z",
"duration": "0.381935",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metomserver.example.com
<http://metomserver.example.com>) under \"dc=IPA,dc=ss,dc=lan\" is
not in synchronization.\nStatus message: error (18) can't acquire
replica (incremental update transient warning. backing off, will
retry update later.)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "2178f7ef-f4fc-426f-a4c4-f357c3540baa",
"when": "20250320202818Z",
"duration": "0.381965",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catomserver.example.com
<http://catomserver.example.com>) under \"o=ipaca\" is not in
synchronization.\nStatus message: error (18) can't acquire replica
(incremental update transient warning. backing off, will retry
update later.)"
}
}
===================================================================================
*[root@mserver ~]# ipa-healthcheck *
Expired Cert: ocsp_signing
Expired Cert: subsystem
Expired Cert: audit_signing
Internal server error HTTPConnectionPool(host='mserver.example.com
<http://mserver.example.com>', port=8080): Max retries exceeded
with url: /ca/rest/securityDomain/domainInfo (Caused by
NewConnectionError('<urllib3.connection.HTTPConnection object at
0x7f1a6ea9c6d0>: Failed to establish a new connection: [Errno 111]
Connection refused'))
Internal server error
HTTPSConnectionPool(host='mserver.example.com
<http://mserver.example.com>', port=8443): Max retries exceeded
with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection object at
0x7f1a6e9194f0>: Failed to establish a new connection: [Errno 111]
Connection refused'))
[
{
"source": "ipahealthcheck.meta.services",
"check": "pki_tomcatd",
"result": "ERROR",
"uuid": "1f169946-8a47-4d93-ae38-f8072abf82e1",
"when": "20250320203343Z",
"duration": "0.000577",
"kw": {
"status": false,
"msg": "pki_tomcatd: not running"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "d659a57c-f625-462d-b6d5-1a60d8216953",
"when": "20250320203344Z",
"duration": "0.143464",
"kw": {
"cert_id": "ocsp_signing",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "7232e7cb-3cc2-4ff2-9953-954ef2e5d3b9",
"when": "20250320203344Z",
"duration": "0.280452",
"kw": {
"cert_id": "subsystem",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "117eece4-37dd-45cb-bf6c-acdfa29fb525",
"when": "20250320203344Z",
"duration": "0.349712",
"kw": {
"cert_id": "audit_signing",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.meta.connectivity",
"check": "DogtagCACertsConnectivityCheck",
"result": "CRITICAL",
"uuid": "bb5c2f08-e28e-47d7-9752-404f83fb67a8",
"when": "20250320203345Z",
"duration": "0.035959",
"kw": {
"msg": "Internal server error. Is your CA subsystem and LDAP
database up?",
"instance_name": "pki-tomcat",
"exception": "HTTPSConnectionPool(host='mserver.example.com
<http://mserver.example.com>', port=8443): Max retries exceeded
with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection object at
0x7f1a6e9194f0>: Failed to establish a new connection: [Errno 111]
Connection refused'))"
}
},
{
"source": "ipahealthcheck.dogtag.ca
<http://ipahealthcheck.dogtag.ca>",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "2c134180-e055-41fe-bd8e-8aa9ca4f56a6",
"when": "20250320203346Z",
"duration": "0.423802",
"kw": {
"key": "cert_show_ra",
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/41
<https://mserver.example.com:443/ca/rest/certs/41>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"serial": "41",
"msg": "Request for certificate failed: {error}"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "55b716e8-43e9-44b0-8764-4263d283dc2d",
"when": "20250320203347Z",
"duration": "0.346086",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (metofserver.example.com
<http://metofserver.example.com>) under \"dc=IPA,dc=ss,dc=lan\" is
not in synchronization.\nStatus message: error (18) can't acquire
replica (incremental update transient warning. backing off, will
retry update later.)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "37bc48b0-7eca-4576-8e61-b30b1bde621b",
"when": "20250320203347Z",
"duration": "0.346109",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement (catofserver.example.com
<http://catofserver.example.com>) under \"o=ipaca\" is not in
synchronization.\nStatus message: error (18) can't acquire replica
(incremental update transient warning. backing off, will retry
update later.)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "3170174f-6bb6-4afc-82f0-a795791036ed",
"when": "20250320203347Z",
"duration": "0.010887",
"kw": {
"key": "20240325182332",
"expiration_date": "20250217085937Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "727c67e4-f647-4942-b9f4-2861ffd244a8",
"when": "20250320203347Z",
"duration": "0.013823",
"kw": {
"key": "20240325182333",
"expiration_date": "20250217085837Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "83c634aa-24d0-41df-88c3-401a0ce804f4",
"when": "20250320203347Z",
"duration": "0.016737",
"kw": {
"key": "20240325182337",
"expiration_date": "20250217085847Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "d8ff80a5-f947-48a2-b97c-078becf2f8f9",
"when": "20250320203347Z",
"duration": "0.019678",
"kw": {
"key": "20240325182339",
"expiration_date": "20250217085927Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "31b38213-3510-4a6d-b01f-4aef8f01fdfe",
"when": "20250320203347Z",
"duration": "0.059710",
"kw": {
"key": "20240325182332",
"expiration_date": "20250217085937Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "140abdf2-c6a6-4f5a-9c4e-1381ad9ffef2",
"when": "20250320203347Z",
"duration": "0.103873",
"kw": {
"key": "20240325182333",
"expiration_date": "20250217085837Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "bb70dc48-0382-43a5-80c9-1303302d0332",
"when": "20250320203347Z",
"duration": "0.148327",
"kw": {
"key": "20240325182337",
"expiration_date": "20250217085847Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "d7c88743-8fb3-4793-b193-5e7a6a963e4b",
"when": "20250320203348Z",
"duration": "0.192067",
"kw": {
"key": "20240325182339",
"expiration_date": "20250217085927Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPAOpenSSLChainValidation",
"result": "ERROR",
"uuid": "faab3d0d-c726-4d93-a4fd-b3f47cbee7a0",
"when": "20250320203351Z",
"duration": "0.016884",
"kw": {
"key": "/var/lib/ipa/ra-agent.pem",
"reason": "O = IPA.SS.LAN, CN = IPA RA\nerror 10 at 0 depth
lookup: certificate has expired\nerror /var/lib/ipa/ra-agent.pem:
verification failed\n",
"msg": "Certificate validation for {key} failed: {reason}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c962600a-5f2e-4000-995e-0d6e2c51bf6c",
"when": "20250320203351Z",
"duration": "0.438354",
"kw": {
"key": "20240325182332",
"serial": 41,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/41
<https://mserver.example.com:443/ca/rest/certs/41>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "524f71a3-92aa-424c-a660-f48efef17684",
"when": "20250320203351Z",
"duration": "0.513622",
"kw": {
"key": "20240325182333",
"serial": 37,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/37
<https://mserver.example.com:443/ca/rest/certs/37>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c2f9fc6f-0561-45e9-aa2b-c741b893a173",
"when": "20250320203351Z",
"duration": "0.591474",
"kw": {
"key": "20240325182337",
"serial": 38,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/38
<https://mserver.example.com:443/ca/rest/certs/38>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a373bde5-64bd-4cdb-9db1-4b9a565f6d60",
"when": "20250320203351Z",
"duration": "0.667891",
"kw": {
"key": "20240325182339",
"serial": 40,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/40
<https://mserver.example.com:443/ca/rest/certs/40>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "4adb473e-4604-4f6b-85de-aeda264b2bfd",
"when": "20250320203352Z",
"duration": "0.749218",
"kw": {
"key": "20240325182340",
"serial": 1,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/1
<https://mserver.example.com:443/ca/rest/certs/1>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3cd2e311-a4cc-47a1-86fa-c80ae7c35535",
"when": "20250320203352Z",
"duration": "0.826249",
"kw": {
"key": "20240325182341",
"serial": 805175299,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175299
<https://mserver.example.com:443/ca/rest/certs/805175299>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3355e9e4-e18d-48b5-9a1f-018ea8a02018",
"when": "20250320203352Z",
"duration": "0.865347",
"kw": {
"key": "20240325182024",
"serial": 805175298,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175298
<https://mserver.example.com:443/ca/rest/certs/805175298>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "43779b90-74cd-4db1-a1b2-19b30f1400ac",
"when": "20250320203352Z",
"duration": "0.947838",
"kw": {
"key": "20240325182004",
"serial": 805175297,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175297
<https://mserver.example.com:443/ca/rest/certs/805175297>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "76a26aa3-c56f-4984-8abc-c5113d25f2e2",
"when": "20250320203352Z",
"duration": "0.992108",
"kw": {
"key": "20240325182408",
"serial": 268304393,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/268304393
<https://mserver.example.com:443/ca/rest/certs/268304393>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate expired
(_ssl.c:2633)",
"msg": "Request for certificate serial number {serial} in
request {key} failed: {error}"
}
}
]
===================================================================================
*[root@mserver]# ipactl -d status*
[...]
ipa-custodia Service: RUNNING
ipa: DEBUG: request POST
http://mserver.example.com:8080/ca/admin/ca/getStatus
ipa: DEBUG: request body ''
ipa: DEBUG: httplib request failed:
Traceback (most recent call last):
File "/usr/lib/python3.9/site-packages/ipapython/dogtag.py",
line 271, in _httplib_request
conn.request(method, path, body=request_body, headers=headers)
File "/usr/lib64/python3.9/http/client.py", line 1285, in request
self._send_request(method, url, body, headers, encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1331, in
_send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1280, in endheaders
self._send_output(message_body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1040, in
_send_output
self.send(msg)
File "/usr/lib64/python3.9/http/client.py", line 980, in send
self.connect()
File "/usr/lib64/python3.9/http/client.py", line 946, in connect
self.sock = self._create_connection(
File "/usr/lib64/python3.9/socket.py", line 844, in
create_connection
raise err
File "/usr/lib64/python3.9/socket.py", line 832, in
create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
ipa: DEBUG: Failed to check CA status: cannot connect to
'http://mserver.example.com:8080/ca/admin/ca/getStatus': [Errno
111] Connection refused
pki-tomcatd Service: STOPPED
[...]
===================================================================================
*[root@mserver ~]# getcert list*
Number of certificates and requests being tracked: 9.
Request ID '20240325182004':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IPA-SS-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:20:06 EET
expires: 2026-03-26 20:20:06 EET
dns: mserver.example.com <http://mserver.example.com>
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv IPA-SS-LAN
track: yes
auto-renew: yes
Request ID '20240325182024':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/mserver.example.com-443-RSA'
certificate: type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:20:25 EET
expires: 2026-03-26 20:20:25 EET
dns: mserver.example.com
<http://mserver.example.com>,ipa-ca.IPA.SS.LAN
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20240325182332':
status: CA_WORKING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=IPA RA,O=IPA.SS.LAN
issued: 2023-02-28 10:59:37 EET
expires: 2025-02-17 10:59:37 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20240325182333':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=CA Audit,O=IPA.SS.LAN
issued: 2023-02-28 10:58:37 EET
expires: 2025-02-17 10:58:37 EET
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182337':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=OCSP Subsystem,O=IPA.SS.LAN
issued: 2023-02-28 10:58:47 EET
expires: 2025-02-17 10:58:47 EET
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182339':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=CA Subsystem,O=IPA.SS.LAN
issued: 2023-02-28 10:59:27 EET
expires: 2025-02-17 10:59:27 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182340':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=Certificate Authority,O=IPA.SS.LAN
issued: 2017-06-20 18:03:50 EEST
expires: 2037-06-20 18:03:50 EEST
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182341':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:22:48 EET
expires: 2026-03-15 20:22:48 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182408':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate:
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:24:13 EET
expires: 2026-03-26 20:24:13 EET
dns: mserver.example.com <http://mserver.example.com>
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
===================================================================================
From your logs,
* replication between your servers is broken (could be related to
the expired certs or the cause for expired certs...)
* on mserver:
o PKI server not running
o the shared PKI certificates are expired (Feb 17 2025):
ra-agent.pem + auditSigningCert cert-pki-ca + ocspSigningCert
cert-pki-ca + subsystemCert cert-pki-ca
Can you check which server is the CA renewal master?
kinit admin
ipa config-show | grep renewal
IPA CA renewal master: *server.ipa.test*
Then you can force the startup of ipa services on mserver:
ipactl start --ignore-service-failures
At this point, check if the replication is working (for instance with
ipa-healthcheck or by creating a user on mserver and ensuring it is
present on fserver and vice-versa). Then let us know the situation,
depending on your answers you will have to follow one of the sections
of
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_certificates_in_idm/renewing-expired-system-certificates-when-idm-is-offline_managing-certificates-in-idm#renewing-expired-system-certificates-when-idm-is-offline_managing-certificates-in-idm
flo
