[Freeipa-users] Certificate system unavailable

Sigbjorn Lie sigbjorn at nixtra.com
Mon Jan 13 15:07:16 UTC 2014 

Hi,

Thank you for your prompt reply Rob.


On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
> Sigbjorn Lie wrote:
>
>> Hi,
>>
>>
>> I seem to have issues with the certificate system on my IPA installation. Looking up hosts in
>> the IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno -8015] error
>> (-8015)
>> unknown".
>>
>> I also notice that hosts says the certificate system is unavailable.
>>
>>
>> certmonger: Server failed request, will retry: 4301 (RPC failed at server.  Certificate
>> operation cannot be completed: Failure decoding Certificate Signing Request).
>>
>>
>> Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
>>
>>
>> # tail -100 selftests.log
>> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Initializing self test
>> plugins:
>> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading all self test
>> plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
>> loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
>> SelfTestSubsystem:  loading all self test plugin
>> instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading
>> self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
>> SelfTestSubsystem:  loading self test plugins in
>> startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Self test
>> plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
>> SelfTestSubsystem: Running self test plugins
>> specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] CAPresence:
>> CA is present
>> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: system certs
>> verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: The
>> CRITICAL self test plugin
>> called selftests.container.instance.SystemCertsVerification running at startup FAILED!
>>
>> the pki-cad service is running and "pki-cad status" displays the ports available.
>> /etc/init.d/pki-cad status
>> pki-ca (pid 28697) is running...                           [  OK  ]
>>
>>
>> My main consern is that the certmonger requests for renew of certificates for LDAP on 2 out of
>> 3
>> of the IPA servers has failed, and the current certificate is expiring the 19th of January,
>> under a week from now.
>>
>> Do you have any suggestions to where I can start troubleshootng this issue?
>>
>
> Check the trust on the audit certificate:
>
>
> # certutil -L -d /var/lib/pki-ca/alias/
> ...
> auditSigningCert cert-pki-ca                                 u,u,Pu

All the 3 ipa servers return u,u,Pu for auditSigningCert

# certutil -L -d /var/lib/pki-ca/alias/

Certificate Nickname                                         Trust Attributes
                                                             SSL,S/MIME,JAR/XPI

caSigningCert cert-pki-ca                                    CTu,Cu,Cu
Server-Cert cert-pki-ca                                      u,u,u
auditSigningCert cert-pki-ca                                 u,u,Pu
ocspSigningCert cert-pki-ca                                  u,u,u
subsystemCert cert-pki-ca                                    u,u,u

>
> If the trust is not u,u,Pu then you can fix it with:
>
>
> # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
> -t u,u,Pu
>
>
> Then restart the CA and it should be ok.
>

I have restarted the dirsrv for PKI-IPA, and the pki-cad service on all 3 IPA servers.

>
> What is the status on the failed certmonger requests?

After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the request is now:

Request ID '20120119194518':
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: 907 (RPC failed at server.  cannot connect to
'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
	stuck: yes
	key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS Certificate
DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=DNS-DOMAIN
	subject: CN=ipa01.dns.domain,O=DNS-DOMAIN
	expires: 2014-01-19 19:45:18 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command:
	post-save command:
	track: yes
	auto-renew: yes

However I cannot find the certificate that's expired?


Regards,
Siggi

More information about the Freeipa-users mailing list