[Freeipa-users] Certificate system unavailable

Mon Feb 3 16:32:53 UTC 2014

On 01/31/2014 08:32 PM, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>>
>>
>>
>> On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>
>>>>
>>>> This worked better than expected. Thank you! :)
>>>>
>>>>
>>>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays
>>>> any certificates out
>>>> of date, and all certificates in need of renewal within 28 days has been
>>>> renewed. The webui also
>>>> started working again and things seem to be back to normal.
>>>>
>>>> ipa03 however is still having issues. I could not renew any certificates on
>>>> this server to begin
>>>> with, but I managed to renew the certificates for the directory servers by
>>>> changing the xmlrpc
>>>> url to another ipa server in /etc/ipa/default.conf and resubmitting these
>>>> requests.
>>>>
>>>> "getcert resubmit -i <request-id" says SUBMITTING and the fails with
>>>> NEED_GUIDANCE after a short while for the certificates for the PKI service.
>>>>
>>>>
>>>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>>>> Updated certificate for ipaCert not available".
>>>>
>>>>
>>>> There is a lot of information in the /var/log/pki-ca/debug, but nothing
>>>> that I can easily distinguish as an error from all the other output.
>>>> Anything in particular I
>>>> should look for?
>>>
>>> Ok, so this is a bug in IPA related to python readline. Garbage is
>>> getting inserted and causing bad things to happen,
>>> https://fedorahosted.org/freeipa/ticket/4064
>>>
>>>
>>> So the question is, are the certs available or not.
>>>
>>>
>>> A number of the same certificates are shared amongst all the CAs. One
>>> does the renewal and stuffs the result into
>>> cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
>>> refer to that location for an updated cert and will load them if they are
>>> updated.
>>>
>>> Look to see if the certs are updated there. Given that you have 2
>>> working masters I'm assuming that is the case, so it may just be a matter of
>>> fixing the python.
>>>
>>
>> I could not get anywhere even after manually patching the python script as
>> mentioned in the ticket
>> you provided.
>>
>>
>> I ended up removing and re-adding the replica during a maintenance window.
>> For future reference,
>> what I did was to remove the replica as per the Identity Management Guide on
>> docs.redhat.com. I
>> then re-created the replica installation file and installed the replica.
>>
>> At this point Certmonger managed to retrieve new certificates for the expired
>> certificates, but it
>> kept segfaulting when it attempted to save the certificate to disk. I
>> restarted certmonger a few
>> times, but certmonger just ended up segfaulting over and over. I decided to
>> block the ipa server
>> off the network and change the date back to before the certs expired. After
>> the date was changed I
>> restarted certmonger. Certmonger managed to save the certs successfully this
>> time and a "getcert
>> list" now displays only certificates with an expire date of 2015 or 2016 and
>> a status of
>> MONTORING.
>>
>> I changed the date back to correct date and time and removed the iptables
>> rules. The replica now
>> works just fine.
>>
>> Thank you for your assistance.
> 
> Sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1032760
> 
> rob

This one might be related as well:
https://bugzilla.redhat.com/show_bug.cgi?id=1040009.

Martin