[Freeipa-users] Certificate system unavailable

Rob Crittenden rcritten at redhat.com
Mon Jan 13 14:58:24 UTC 2014 

Sigbjorn Lie wrote:
> Hi,
>
> I seem to have issues with the certificate system on my IPA installation. Looking up hosts in the
> IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno -8015] error (-8015)
> unknown".
>
> I also notice that hosts says the certificate system is unavailable.
>
>   certmonger: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation
> cannot be completed: Failure decoding Certificate Signing Request).
>
>
> Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
>
> # tail -100 selftests.log
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Initializing self test plugins:
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading all self test plugin
> logger parameters
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading all self test plugin
> instances
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading all self test plugin
> instance parameters
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading self test plugins in
> on-demand order
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading self test plugins in
> startup order
> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Self test plugins have been
> successfully loaded!
> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: Running self test plugins
> specified to be executed at startup:
> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] CAPresence:  CA is present
> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: system certs
> verification failure
> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: The CRITICAL self test plugin
> called selftests.container.instance.SystemCertsVerification running at startup FAILED!
>
> the pki-cad service is running and "pki-cad status" displays the ports available.
> /etc/init.d/pki-cad status
> pki-ca (pid 28697) is running...                           [  OK  ]
>
>
> My main consern is that the certmonger requests for renew of certificates for LDAP on 2 out of 3
> of the IPA servers has failed, and the current certificate is expiring the 19th of January, under
> a week from now.
>
> Do you have any suggestions to where I can start troubleshootng this issue?

Check the trust on the audit certificate:

# certutil -L -d /var/lib/pki-ca/alias/
...
auditSigningCert cert-pki-ca                                 u,u,Pu

If the trust is not u,u,Pu then you can fix it with:

# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca' 
-t u,u,Pu

Then restart the CA and it should be ok.

What is the status on the failed certmonger requests?

rob

More information about the Freeipa-users mailing list