John Desantis wrote: > Hello all, > > I didn't reply to the list, so I'll forward in my response. > >>>> The only remaining hiccup is now the replica's certmonger service >>>> keeps dying while failing to re-issue the "ipaCert" in >>>> /etc/httpd/alias. Log snippets are below: >>>> >>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>> saved. >>>> >>>> The IPA services are running and the machine can be accessed (queries >>>> issued, web GUI, etc.) >>>> >>>> Would anyone have an idea of why a replica would have issues renewing >>>> the "ipaCert"? >>> >>> CCing Jan to advise, he is the most experienced in this area. >> >> Would file corruption within the file of the "Request ID" in >> /var/lib/certmonger/request have anything to do with this? >> >> autorenew=1 >> monitor=1 >> ca_name=dogtag-ipa-retrieve-agent-submit >> ca_profile=ipaCert >> submitted=20141228050011 >> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >> >> I checked a few other random client nodes (and the master) and none of >> them are showing this corruption in their requests. >> >> I attempted to fix the corruption (editing the file) and subsequently >> restart certmonger with no luck. >> >> Thanks, >> John DeSantis >> > > Thanks, > John DeSantis > > 2015-01-08 13:26 GMT-05:00 John Desantis <[email protected]>: >> Hello all, >> >>>> The only remaining hiccup is now the replica's certmonger service >>>> keeps dying while failing to re-issue the "ipaCert" in >>>> /etc/httpd/alias. Log snippets are below: >>>> >>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>> saved. >>>> >>>> The IPA services are running and the machine can be accessed (queries >>>> issued, web GUI, etc.) >>>> >>>> Would anyone have an idea of why a replica would have issues renewing >>>> the "ipaCert"? >>> >>> CCing Jan to advise, he is the most experienced in this area. >> >> Would file corruption within the file of the "Request ID" in >> /var/lib/certmonger/request have anything to do with this? >> >> autorenew=1 >> monitor=1 >> ca_name=dogtag-ipa-retrieve-agent-submit >> ca_profile=ipaCert >> submitted=20141228050011 >> cert=ESC[?1034h-----BEGIN CERTIFICATE----- >> >> I checked a few other random client nodes (and the master) and none of >> them are showing this corruption in their requests. >> >> I attempted to fix the corruption (editing the file) and subsequently >> restart certmonger with no luck. >> >> Thanks, >> John DeSantis
Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064 The change is quite small, you might try manually changing it. Then a certmonger restart might fix it. rob >> >> >> 2015-01-08 8:10 GMT-05:00 Martin Kosek <[email protected]>: >>> On 01/07/2015 06:43 PM, John Desantis wrote: >>>> Hello all, >>>> >>>> Just an update on this issue for anyone else who experiences a similar >>>> issue. >>>> >>>> It looks like the automatic renewal of the certificates failed on our >>>> master due the certmonger service being "stuck". I stopped the >>>> service, stopped IPA services, and then reset the date to a few days >>>> prior to the expiration. I then (following a mailing list post) >>>> restarted IPA and then certmonger. At this point, I checked the >>>> status of the certificates and saw that they were changing. Only the >>>> "Server-Cert" in /etc/httpd/alias was complaining this time of not >>>> being able to contact the CA. Another certmonger service restart >>>> corrected the issue. >>>> >>>> I can now re-provision nodes accordingly! >>> >>> Ok, good to hear! >>> >>>> >>>> The only remaining hiccup is now the replica's certmonger service >>>> keeps dying while failing to re-issue the "ipaCert" in >>>> /etc/httpd/alias. Log snippets are below: >>>> >>>> Jan 7 12:17:02 python: certmonger restarted httpd >>>> Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved. >>>> Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid. >>>> Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS >>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not >>>> saved. >>>> >>>> The IPA services are running and the machine can be accessed (queries >>>> issued, web GUI, etc.) >>>> >>>> Would anyone have an idea of why a replica would have issues renewing >>>> the "ipaCert"? >>> >>> CCing Jan to advise, he is the most experienced in this area. >>> >>>> >>>> Thank you, >>>> John DeSantis >>>> >>>> >>>> 2015-01-06 15:50 GMT-05:00 John Desantis <[email protected]>: >>>>> Hello all, >>>>> >>>>> Looking at the various online documentation regarding certificate >>>>> renewals: >>>>> >>>>> http://www.freeipa.org/page/Howto/CA_Certificate_Renewal#Procedure_in_IPA_.3C_4.0 >>>>> http://www.freeipa.org/page/Certmonger >>>>> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Identity_Management_Guide/cas.html >>>>> >>>>> I have to admit that I am completely confused on how to proceed given >>>>> that the links above reference external CA's. >>>>> >>>>> The certificate was created in house (no external issuer) from what I >>>>> can tell (openssl x509 -issuer and via IPA GUI). >>>>> >>>>> Thankfully(?), none of the certificates listed via 'getcert list' have >>>>> a status of "CA_UNREACHABLE", although all of them state "NEED_CSR". >>>>> I'll paste the contents below, sanitized of couse. >>>>> >>>>> # getcert list >>>>> Number of certificates and requests being tracked: 8. >>>>> Request ID '20130110185936': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE.COM/pwdfile.txt' >>>>> certificate: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE.COM',nickname='Server-Cert',token='NSS >>>>> Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2015-01-11 18:59:35 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv EXAMPLE.COM >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130110190008': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' >>>>> certificate: >>>>> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS >>>>> Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2015-01-11 19:00:07 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130110190034': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS >>>>> Certificate DB' >>>>> CA: IPA >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2015-01-11 19:00:34 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/restart_httpd >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022007': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=CA Audit,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:42 UTC >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "auditSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022008': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=OCSP Subsystem,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:41 UTC >>>>> eku: id-kp-OCSPSigning >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "ocspSigningCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022009': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=CA Subsystem,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:41 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert >>>>> "subsystemCert cert-pki-ca" >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022010': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' >>>>> certificate: >>>>> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS >>>>> Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=IPA RA,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:59:24 UTC >>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>> pre-save command: >>>>> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert >>>>> track: yes >>>>> auto-renew: yes >>>>> Request ID '20130410022011': >>>>> status: NEED_CSR >>>>> stuck: no >>>>> key pair storage: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB',pin='377154649534' >>>>> certificate: >>>>> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert >>>>> cert-pki-ca',token='NSS Certificate DB' >>>>> CA: dogtag-ipa-renew-agent >>>>> issuer: CN=Certificate Authority,O=EXAMPLE.COM >>>>> subject: CN=ipa.example.com,O=EXAMPLE.COM >>>>> expires: 2014-12-31 18:58:41 UTC >>>>> eku: id-kp-serverAuth >>>>> pre-save command: >>>>> post-save command: >>>>> track: yes >>>>> auto-renew: yes >>>>> >>>>> This issue was manifest when I attempted to re-provision a client >>>>> node. I'll paste the errors reported by Apache: >>>>> >>>>> [Tue Jan 06 14:14:47 2015] [error] Bad remote server certificate: -8181 >>>>> [Tue Jan 06 14:14:47 2015] [error] SSL Library Error: -8181 >>>>> Certificate has expired >>>>> [Tue Jan 06 14:14:47 2015] [error] Re-negotiation handshake failed: >>>>> Not accepted by client!? >>>>> >>>>> FWIW, all IPA services are running for now. >>>>> >>>>> Any guidance would certainly be appreciated! If more information is >>>>> required, let me know and I'll paste it in a reply. >>>>> >>>>> Thank you, >>>>> John DeSantis >>>> >>> > -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
