Hi,
On Thu, Mar 20, 2025 at 10:06 PM Petros Triantafyllidis via
FreeIPA-users <[email protected]> wrote:
Hi,
I have two IPA servers 4.10.2-8.el9_3 (fserver & mserver)
running Rocky 9.3. I realized that some of the most recently
created users, had problems logging in. One strange thing was
that when listing their home directory, in place of owner
there was their uidnumber instead their username.
One of the servers (mserver) fails to start pki-tomcat and
suspected a certificate issue (some show expiration a month
ago). Below I show some info (sanitized) and I could use some
help:
*[root@fserver]# ipa-healthcheck*
Internal server error 503 Server Error: Service Unavailable
for url:
https://mserver.example.com:443/ca/rest/certs/search?size=3
<https://mserver.example.com:443/ca/rest/certs/search?size=3>
[
{
"source":
"pki.server.healthcheck.clones.connectivity_and_data",
"check": "ClonesConnectivyAndDataCheck",
"result": "ERROR",
"uuid": "ae2033bb-9595-4907-8b6d-0db6d13813c3",
"when": "20250320202815Z",
"duration": "0.605725",
"kw": {
"status": "ERROR: pki-tomcat : Internal error testing
CA clone. Host: mserver.example.com
<http://mserver.example.com> Port: 443"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "cd8ecc04-1e11-4229-b0e9-605fc08cc2af",
"when": "20250320202818Z",
"duration": "0.381935",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(metomserver.example.com <http://metomserver.example.com>)
under \"dc=IPA,dc=ss,dc=lan\" is not in
synchronization.\nStatus message: error (18) can't acquire
replica (incremental update transient warning. backing off,
will retry update later.)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "2178f7ef-f4fc-426f-a4c4-f357c3540baa",
"when": "20250320202818Z",
"duration": "0.381965",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(catomserver.example.com <http://catomserver.example.com>)
under \"o=ipaca\" is not in synchronization.\nStatus message:
error (18) can't acquire replica (incremental update
transient warning. backing off, will retry update later.)"
}
}
===================================================================================
*[root@mserver ~]# ipa-healthcheck *
Expired Cert: ocsp_signing
Expired Cert: subsystem
Expired Cert: audit_signing
Internal server error
HTTPConnectionPool(host='mserver.example.com
<http://mserver.example.com>', port=8080): Max retries
exceeded with url: /ca/rest/securityDomain/domainInfo (Caused
by NewConnectionError('<urllib3.connection.HTTPConnection
object at 0x7f1a6ea9c6d0>: Failed to establish a new
connection: [Errno 111] Connection refused'))
Internal server error
HTTPSConnectionPool(host='mserver.example.com
<http://mserver.example.com>', port=8443): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection
object at 0x7f1a6e9194f0>: Failed to establish a new
connection: [Errno 111] Connection refused'))
[
{
"source": "ipahealthcheck.meta.services",
"check": "pki_tomcatd",
"result": "ERROR",
"uuid": "1f169946-8a47-4d93-ae38-f8072abf82e1",
"when": "20250320203343Z",
"duration": "0.000577",
"kw": {
"status": false,
"msg": "pki_tomcatd: not running"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "d659a57c-f625-462d-b6d5-1a60d8216953",
"when": "20250320203344Z",
"duration": "0.143464",
"kw": {
"cert_id": "ocsp_signing",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "7232e7cb-3cc2-4ff2-9953-954ef2e5d3b9",
"when": "20250320203344Z",
"duration": "0.280452",
"kw": {
"cert_id": "subsystem",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.certs.expiration",
"check": "CASystemCertExpiryCheck",
"result": "ERROR",
"uuid": "117eece4-37dd-45cb-bf6c-acdfa29fb525",
"when": "20250320203344Z",
"duration": "0.349712",
"kw": {
"cert_id": "audit_signing",
"expiry_date": "Feb 17 2025",
"msg": "Certificate has ALREADY EXPIRED"
}
},
{
"source": "pki.server.healthcheck.meta.connectivity",
"check": "DogtagCACertsConnectivityCheck",
"result": "CRITICAL",
"uuid": "bb5c2f08-e28e-47d7-9752-404f83fb67a8",
"when": "20250320203345Z",
"duration": "0.035959",
"kw": {
"msg": "Internal server error. Is your CA subsystem and
LDAP database up?",
"instance_name": "pki-tomcat",
"exception":
"HTTPSConnectionPool(host='mserver.example.com
<http://mserver.example.com>', port=8443): Max retries
exceeded with url: /ca/admin/ca/getStatus (Caused by
NewConnectionError('<urllib3.connection.HTTPSConnection
object at 0x7f1a6e9194f0>: Failed to establish a new
connection: [Errno 111] Connection refused'))"
}
},
{
"source": "ipahealthcheck.dogtag.ca
<http://ipahealthcheck.dogtag.ca>",
"check": "DogtagCertsConnectivityCheck",
"result": "ERROR",
"uuid": "2c134180-e055-41fe-bd8e-8aa9ca4f56a6",
"when": "20250320203346Z",
"duration": "0.423802",
"kw": {
"key": "cert_show_ra",
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/41
<https://mserver.example.com:443/ca/rest/certs/41>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate
expired (_ssl.c:2633)",
"serial": "41",
"msg": "Request for certificate failed: {error}"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "55b716e8-43e9-44b0-8764-4263d283dc2d",
"when": "20250320203347Z",
"duration": "0.346086",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(metofserver.example.com <http://metofserver.example.com>)
under \"dc=IPA,dc=ss,dc=lan\" is not in
synchronization.\nStatus message: error (18) can't acquire
replica (incremental update transient warning. backing off,
will retry update later.)"
}
},
{
"source": "ipahealthcheck.ds.replication",
"check": "ReplicationCheck",
"result": "ERROR",
"uuid": "37bc48b0-7eca-4576-8e61-b30b1bde621b",
"when": "20250320203347Z",
"duration": "0.346109",
"kw": {
"key": "DSREPLLE0003",
"items": [
"Replication",
"Agreement"
],
"msg": "The replication agreement
(catofserver.example.com <http://catofserver.example.com>)
under \"o=ipaca\" is not in synchronization.\nStatus message:
error (18) can't acquire replica (incremental update
transient warning. backing off, will retry update later.)"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "3170174f-6bb6-4afc-82f0-a795791036ed",
"when": "20250320203347Z",
"duration": "0.010887",
"kw": {
"key": "20240325182332",
"expiration_date": "20250217085937Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "727c67e4-f647-4942-b9f4-2861ffd244a8",
"when": "20250320203347Z",
"duration": "0.013823",
"kw": {
"key": "20240325182333",
"expiration_date": "20250217085837Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "83c634aa-24d0-41df-88c3-401a0ce804f4",
"when": "20250320203347Z",
"duration": "0.016737",
"kw": {
"key": "20240325182337",
"expiration_date": "20250217085847Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertmongerExpirationCheck",
"result": "ERROR",
"uuid": "d8ff80a5-f947-48a2-b97c-078becf2f8f9",
"when": "20250320203347Z",
"duration": "0.019678",
"kw": {
"key": "20240325182339",
"expiration_date": "20250217085927Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "31b38213-3510-4a6d-b01f-4aef8f01fdfe",
"when": "20250320203347Z",
"duration": "0.059710",
"kw": {
"key": "20240325182332",
"expiration_date": "20250217085937Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "140abdf2-c6a6-4f5a-9c4e-1381ad9ffef2",
"when": "20250320203347Z",
"duration": "0.103873",
"kw": {
"key": "20240325182333",
"expiration_date": "20250217085837Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "bb70dc48-0382-43a5-80c9-1303302d0332",
"when": "20250320203347Z",
"duration": "0.148327",
"kw": {
"key": "20240325182337",
"expiration_date": "20250217085847Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertfileExpirationCheck",
"result": "ERROR",
"uuid": "d7c88743-8fb3-4793-b193-5e7a6a963e4b",
"when": "20250320203348Z",
"duration": "0.192067",
"kw": {
"key": "20240325182339",
"expiration_date": "20250217085927Z",
"msg": "Request id {key} expired on {expiration_date}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPAOpenSSLChainValidation",
"result": "ERROR",
"uuid": "faab3d0d-c726-4d93-a4fd-b3f47cbee7a0",
"when": "20250320203351Z",
"duration": "0.016884",
"kw": {
"key": "/var/lib/ipa/ra-agent.pem",
"reason": "O = IPA.SS.LAN, CN = IPA RA\nerror 10 at 0
depth lookup: certificate has expired\nerror
/var/lib/ipa/ra-agent.pem: verification failed\n",
"msg": "Certificate validation for {key} failed: {reason}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c962600a-5f2e-4000-995e-0d6e2c51bf6c",
"when": "20250320203351Z",
"duration": "0.438354",
"kw": {
"key": "20240325182332",
"serial": 41,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/41
<https://mserver.example.com:443/ca/rest/certs/41>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate
expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "524f71a3-92aa-424c-a660-f48efef17684",
"when": "20250320203351Z",
"duration": "0.513622",
"kw": {
"key": "20240325182333",
"serial": 37,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/37
<https://mserver.example.com:443/ca/rest/certs/37>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate
expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "c2f9fc6f-0561-45e9-aa2b-c741b893a173",
"when": "20250320203351Z",
"duration": "0.591474",
"kw": {
"key": "20240325182337",
"serial": 38,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/38
<https://mserver.example.com:443/ca/rest/certs/38>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate
expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "a373bde5-64bd-4cdb-9db1-4b9a565f6d60",
"when": "20250320203351Z",
"duration": "0.667891",
"kw": {
"key": "20240325182339",
"serial": 40,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/40
<https://mserver.example.com:443/ca/rest/certs/40>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate
expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "4adb473e-4604-4f6b-85de-aeda264b2bfd",
"when": "20250320203352Z",
"duration": "0.749218",
"kw": {
"key": "20240325182340",
"serial": 1,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/1
<https://mserver.example.com:443/ca/rest/certs/1>': [SSL:
SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert certificate
expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3cd2e311-a4cc-47a1-86fa-c80ae7c35535",
"when": "20250320203352Z",
"duration": "0.826249",
"kw": {
"key": "20240325182341",
"serial": 805175299,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175299
<https://mserver.example.com:443/ca/rest/certs/805175299>':
[SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert
certificate expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "3355e9e4-e18d-48b5-9a1f-018ea8a02018",
"when": "20250320203352Z",
"duration": "0.865347",
"kw": {
"key": "20240325182024",
"serial": 805175298,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175298
<https://mserver.example.com:443/ca/rest/certs/805175298>':
[SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert
certificate expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "43779b90-74cd-4db1-a1b2-19b30f1400ac",
"when": "20250320203352Z",
"duration": "0.947838",
"kw": {
"key": "20240325182004",
"serial": 805175297,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/805175297
<https://mserver.example.com:443/ca/rest/certs/805175297>':
[SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert
certificate expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
},
{
"source": "ipahealthcheck.ipa.certs",
"check": "IPACertRevocation",
"result": "ERROR",
"uuid": "76a26aa3-c56f-4984-8abc-c5113d25f2e2",
"when": "20250320203352Z",
"duration": "0.992108",
"kw": {
"key": "20240325182408",
"serial": 268304393,
"error": "cannot connect to
'https://mserver.example.com:443/ca/rest/certs/268304393
<https://mserver.example.com:443/ca/rest/certs/268304393>':
[SSL: SSLV3_ALERT_CERTIFICATE_EXPIRED] sslv3 alert
certificate expired (_ssl.c:2633)",
"msg": "Request for certificate serial number {serial}
in request {key} failed: {error}"
}
}
]
===================================================================================
*[root@mserver]# ipactl -d status*
[...]
ipa-custodia Service: RUNNING
ipa: DEBUG: request POST
http://mserver.example.com:8080/ca/admin/ca/getStatus
ipa: DEBUG: request body ''
ipa: DEBUG: httplib request failed:
Traceback (most recent call last):
File
"/usr/lib/python3.9/site-packages/ipapython/dogtag.py", line
271, in _httplib_request
conn.request(method, path, body=request_body,
headers=headers)
File "/usr/lib64/python3.9/http/client.py", line 1285, in
request
self._send_request(method, url, body, headers,
encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1331, in
_send_request
self.endheaders(body, encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1280, in
endheaders
self._send_output(message_body,
encode_chunked=encode_chunked)
File "/usr/lib64/python3.9/http/client.py", line 1040, in
_send_output
self.send(msg)
File "/usr/lib64/python3.9/http/client.py", line 980, in send
self.connect()
File "/usr/lib64/python3.9/http/client.py", line 946, in
connect
self.sock = self._create_connection(
File "/usr/lib64/python3.9/socket.py", line 844, in
create_connection
raise err
File "/usr/lib64/python3.9/socket.py", line 832, in
create_connection
sock.connect(sa)
ConnectionRefusedError: [Errno 111] Connection refused
ipa: DEBUG: Failed to check CA status: cannot connect to
'http://mserver.example.com:8080/ca/admin/ca/getStatus':
[Errno 111] Connection refused
pki-tomcatd Service: STOPPED
[...]
===================================================================================
*[root@mserver ~]# getcert list*
Number of certificates and requests being tracked: 9.
Request ID '20240325182004':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-IPA-SS-LAN/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IPA-SS-LAN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:20:06 EET
expires: 2026-03-26 20:20:06 EET
dns: mserver.example.com <http://mserver.example.com>
principal name: ldap/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_dirsrv IPA-SS-LAN
track: yes
auto-renew: yes
Request ID '20240325182024':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/private/httpd.key',pinfile='/var/lib/ipa/passwds/mserver.example.com-443-RSA'
certificate:
type=FILE,location='/var/lib/ipa/certs/httpd.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:20:25 EET
expires: 2026-03-26 20:20:25 EET
dns: mserver.example.com
<http://mserver.example.com>,ipa-ca.IPA.SS.LAN
principal name: HTTP/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caIPAserviceCert
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
Request ID '20240325182332':
status: CA_WORKING
stuck: no
key pair storage:
type=FILE,location='/var/lib/ipa/ra-agent.key'
certificate:
type=FILE,location='/var/lib/ipa/ra-agent.pem'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=IPA RA,O=IPA.SS.LAN
issued: 2023-02-28 10:59:37 EET
expires: 2025-02-17 10:59:37 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert_pre
post-save command:
/usr/libexec/ipa/certmonger/renew_ra_cert
track: yes
auto-renew: yes
Request ID '20240325182333':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=CA Audit,O=IPA.SS.LAN
issued: 2023-02-28 10:58:37 EET
expires: 2025-02-17 10:58:37 EET
key usage: digitalSignature,nonRepudiation
profile: caSignedLogCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182337':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=OCSP Subsystem,O=IPA.SS.LAN
issued: 2023-02-28 10:58:47 EET
expires: 2025-02-17 10:58:47 EET
eku: id-kp-OCSPSigning
profile: caOCSPCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182339':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=CA Subsystem,O=IPA.SS.LAN
issued: 2023-02-28 10:59:27 EET
expires: 2025-02-17 10:59:27 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
profile: caSubsystemCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182340':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=Certificate Authority,O=IPA.SS.LAN
issued: 2017-06-20 18:03:50 EEST
expires: 2037-06-20 18:03:50 EEST
key usage:
digitalSignature,nonRepudiation,keyCertSign,cRLSign
profile: caCACert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182341':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin set
certificate:
type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-ca-renew-agent
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:22:48 EET
expires: 2026-03-15 20:22:48 EET
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku:
id-kp-serverAuth,id-kp-clientAuth,id-kp-emailProtection
profile: caServerCert
pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
post-save command:
/usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert
cert-pki-ca"
track: yes
auto-renew: yes
Request ID '20240325182408':
status: MONITORING
stuck: no
key pair storage:
type=FILE,location='/var/kerberos/krb5kdc/kdc.key'
certificate:
type=FILE,location='/var/kerberos/krb5kdc/kdc.crt'
CA: IPA
issuer: CN=Certificate Authority,O=IPA.SS.LAN
subject: CN=mserver.example.com
<http://mserver.example.com>,O=IPA.SS.LAN
issued: 2024-03-25 20:24:13 EET
expires: 2026-03-26 20:24:13 EET
dns: mserver.example.com <http://mserver.example.com>
principal name: krbtgt/[email protected]
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-pkinit-KPKdc
profile: KDCs_PKINIT_Certs
pre-save command:
post-save command:
/usr/libexec/ipa/certmonger/renew_kdc_cert
track: yes
auto-renew: yes
===================================================================================
From your logs,
* replication between your servers is broken (could be related
to the expired certs or the cause for expired certs...)
* on mserver:
o PKI server not running
o the shared PKI certificates are expired (Feb 17 2025):
ra-agent.pem + auditSigningCert cert-pki-ca +
ocspSigningCert cert-pki-ca + subsystemCert cert-pki-ca
Can you check which server is the CA renewal master?
kinit admin
ipa config-show | grep renewal
IPA CA renewal master: *server.ipa.test*
Then you can force the startup of ipa services on mserver:
ipactl start --ignore-service-failures
At this point, check if the replication is working (for instance
with ipa-healthcheck or by creating a user on mserver and
ensuring it is present on fserver and vice-versa). Then let us
know the situation, depending on your answers you will have to
follow one of the sections of
https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_certificates_in_idm/renewing-expired-system-certificates-when-idm-is-offline_managing-certificates-in-idm#renewing-expired-system-certificates-when-idm-is-offline_managing-certificates-in-idm
flo
