[Freeipa-users] Certificate system unavailable
Sigbjorn Lie
sigbjorn at nixtra.com
Fri Jan 31 19:29:07 UTC 2014
Sure thing! I'll send them to you in private.
Regards
Siggi
Dmitri Pal <dpal at redhat.com> wrote:
>On 01/31/2014 10:00 AM, Sigbjorn Lie wrote:
>>
>>
>> On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
>>> Sigbjorn Lie wrote:
>>>
>>>> This worked better than expected. Thank you! :)
>>>>
>>>>
>>>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer
>displays any certificates out
>>>> of date, and all certificates in need of renewal within 28 days has
>been renewed. The webui also
>>>> started working again and things seem to be back to normal.
>>>>
>>>> ipa03 however is still having issues. I could not renew any
>certificates on this server to begin
>>>> with, but I managed to renew the certificates for the directory
>servers by changing the xmlrpc
>>>> url to another ipa server in /etc/ipa/default.conf and resubmitting
>these requests.
>>>>
>>>> "getcert resubmit -i <request-id" says SUBMITTING and the fails
>with
>>>> NEED_GUIDANCE after a short while for the certificates for the PKI
>service.
>>>>
>>>>
>>>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>>>> Updated certificate for ipaCert not available".
>>>>
>>>>
>>>> There is a lot of information in the /var/log/pki-ca/debug, but
>nothing
>>>> that I can easily distinguish as an error from all the other
>output. Anything in particular I
>>>> should look for?
>>> Ok, so this is a bug in IPA related to python readline. Garbage is
>>> getting inserted and causing bad things to happen,
>https://fedorahosted.org/freeipa/ticket/4064
>>>
>>>
>>> So the question is, are the certs available or not.
>>>
>>>
>>> A number of the same certificates are shared amongst all the CAs.
>One
>>> does the renewal and stuffs the result into
>cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
>>> refer to that location for an updated cert and will load them if
>they are updated.
>>>
>>> Look to see if the certs are updated there. Given that you have 2
>>> working masters I'm assuming that is the case, so it may just be a
>matter of fixing the python.
>>>
>> I could not get anywhere even after manually patching the python
>script as mentioned in the ticket
>> you provided.
>>
>>
>> I ended up removing and re-adding the replica during a maintenance
>window. For future reference,
>> what I did was to remove the replica as per the Identity Management
>Guide on docs.redhat.com. I
>> then re-created the replica installation file and installed the
>replica.
>>
>> At this point Certmonger managed to retrieve new certificates for the
>expired certificates, but it
>> kept segfaulting when it attempted to save the certificate to disk. I
>restarted certmonger a few
>> times, but certmonger just ended up segfaulting over and over. I
>decided to block the ipa server
>> off the network and change the date back to before the certs expired.
>After the date was changed I
>> restarted certmonger. Certmonger managed to save the certs
>successfully this time and a "getcert
>> list" now displays only certificates with an expire date of 2015 or
>2016 and a status of
>> MONTORING.
>>
>> I changed the date back to correct date and time and removed the
>iptables rules. The replica now
>> works just fine.
>>
>> Thank you for your assistance.
>>
>
>Can you give us some core dumps from certmonger to see why it is
>crashing.
>We would like to fix crash bugs if we them.
>
>
>> Regards,
>> Siggi
>>
>>
>>
>>
>>
>> _______________________________________________
>> Freeipa-users mailing list
>> Freeipa-users at redhat.com
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>
>
>--
>Thank you,
>Dmitri Pal
>
>Sr. Engineering Manager for IdM portfolio
>Red Hat Inc.
>
>
>-------------------------------
>Looking to carve out IT costs?
>www.redhat.com/carveoutcosts/
>
>
>
>_______________________________________________
>Freeipa-users mailing list
>Freeipa-users at redhat.com
>https://www.redhat.com/mailman/listinfo/freeipa-users
--
Sent from my Android phone with K-9 Mail. Please excuse my brevity.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20140131/8f828963/attachment.htm>
More information about the Freeipa-users
mailing list