[Freeipa-users] Certificate system unavailable

Rob Crittenden rcritten at redhat.com
Mon Jan 13 15:34:30 UTC 2014 

Sigbjorn Lie wrote:
>
>
>
> On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>
>>> Hi,
>>>
>>>
>>> I seem to have issues with the certificate system on my IPA installation. Looking up hosts in
>>> the IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno -8015] error
>>> (-8015)
>>> unknown".
>>>
>>> I also notice that hosts says the certificate system is unavailable.
>>>
>>>
>>> certmonger: Server failed request, will retry: 4301 (RPC failed at server.  Certificate
>>> operation cannot be completed: Failure decoding Certificate Signing Request).
>>>
>>>
>>> Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
>>>
>>>
>>> # tail -100 selftests.log
>>> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Initializing self test
>>> plugins:
>>> 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading all self test
>>> plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
>>> loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
>>> SelfTestSubsystem:  loading all self test plugin
>>> instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:  loading
>>> self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
>>> SelfTestSubsystem:  loading self test plugins in
>>> startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: Self test
>>> plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
>>> SelfTestSubsystem: Running self test plugins
>>> specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] CAPresence:
>>> CA is present
>>> 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification: system certs
>>> verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SelfTestSubsystem: The
>>> CRITICAL self test plugin
>>> called selftests.container.instance.SystemCertsVerification running at startup FAILED!
>>>
>>> the pki-cad service is running and "pki-cad status" displays the ports available.
>>> /etc/init.d/pki-cad status
>>> pki-ca (pid 28697) is running...                           [  OK  ]
>>>
>>>
>>> My main consern is that the certmonger requests for renew of certificates for LDAP on 2 out of
>>> 3
>>> of the IPA servers has failed, and the current certificate is expiring the 19th of January,
>>> under a week from now.
>>>
>>> Do you have any suggestions to where I can start troubleshootng this issue?
>>>
>>
>> Check the trust on the audit certificate:
>>
>>
>> # certutil -L -d /var/lib/pki-ca/alias/
>> ...
>> auditSigningCert cert-pki-ca                                 u,u,Pu
>>
>> If the trust is not u,u,Pu then you can fix it with:
>>
>>
>> # certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
>> -t u,u,Pu
>>
>>
>> Then restart the CA and it should be ok.
>>
>
> Looks like this certificate is expired. This is the same output on all 3 of the ipa servers.
>
> How can this be fixed?
>
>
> # certutil -L -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca"
> Certificate:
>      Data:
>          Version: 3 (0x2)
>          Serial Number: 5 (0x5)
>          Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
>          Issuer: "CN=Certificate Authority,O=DNS.DOMAIN"
>          Validity:
>              Not Before: Thu Jan 19 19:44:24 2012
>              Not After : Wed Jan 08 19:44:24 2014
>
>

Go back in time to the 7th or 8th and run:

# getcert resubmit -d /var/lib/pki-ca/alias -n "auditSigningCert 
cert-pki-ca"

There may be other certs in a similar situation. getcert list will show you.

rob

More information about the Freeipa-users mailing list