Hello, I'm having issues with the 3 ipa certificates of type CA: IPA renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA master. The other 5 certificates from getcert list do renew and all certificates on the CA master do look to renew.
Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done full updates and rebooted. The failed renews look like: [root@spider01a]$ getcert list -i 20141202144354 Number of certificates and requests being tracked: 8. Request ID '20141202144354': status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01a.iglass.net,O=IGLASS.NET expires: 2016-12-02 14:38:45 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA track: yes auto-renew: yes [root@spider01a]$ getcert list -i 20141202144616 Number of certificates and requests being tracked: 8. Request ID '20141202144616': status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)). stuck: no key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt' certificate: type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01a.iglass.net,O=IGLASS.NET expires: 2016-12-02 14:38:43 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET track: yes auto-renew: yes [root@spider01a]$ getcert list -i 20141202144733 Number of certificates and requests being tracked: 8. Request ID '20141202144733': status: CA_UNREACHABLE ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)). stuck: no key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB' CA: IPA issuer: CN=Certificate Authority,O=IGLASS.NET subject: CN=spider01a.iglass.net,O=IGLASS.NET expires: 2016-12-02 14:38:46 UTC key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment eku: id-kp-serverAuth,id-kp-clientAuth pre-save command: post-save command: /usr/lib64/ipa/certmonger/restart_httpd track: yes auto-renew: yes From [root@spider01a]$ getcert resubmit -i 20141202144354 On the replica issuing the resubmit ==> /var/log/httpd/access_log <== 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" 401 1370 ==> /var/log/httpd/error_log <== [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate serial number 0x3ffe0010 not found) [Mon Jun 13 15:49:33 2016] [error] ipa: INFO: host/ [email protected]: cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', principal=u'dogtagldap/[email protected]', add=True): CertificateOperationError ==> /var/log/httpd/access_log <== 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 200 262 192.168.176.2 - host/[email protected] [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" 200 376 ==> /var/log/pki-ca/system <== 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet caDisplayBySerial: Error encountered in DisplayBySerial. Error Record not found. On the CA master spider01o: ==> /var/log/httpd/access_log <== 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" 401 1370 ==> krb5kdc.log <== Jun 13 15:49:34 spider01o.iglass.net krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2: ISSUE: authtime 1465847372, etypes {rep=18 tkt=18 ses=18}, host/[email protected] for ldap/ [email protected] ==> /var/log/httpd/error_log <== [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR: ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid Credential.) [Mon Jun 13 15:49:34 2016] [error] ipa: INFO: host/ [email protected]: cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==', principal=u'dogtagldap/[email protected]', add=True): CertificateOperationError ==> /var/log/httpd/access_log <== 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST /ca/agent/ca/displayBySerial HTTP/1.1" 200 235 192.168.176.2 - host/[email protected] [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" 200 349 ==> /var/log/pki-ca/system <== 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA RA,O=IGLASS.NET. Error: User not found I realize they expire at the end of the year, but I've had my certificates expire before and would rather not go through that again. Any idea on what's wrong or suggestions on where to look would be appreciated. Thanks, Marc
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
