[Freeipa-users] Certificate system unavailable

Rob Crittenden rcritten at redhat.com
Fri Jan 31 19:32:44 UTC 2014 

Sigbjorn Lie wrote:
>
>
>
> On Fri, January 17, 2014 16:37, Rob Crittenden wrote:
>> Sigbjorn Lie wrote:
>>
>>>
>>> This worked better than expected. Thank you! :)
>>>
>>>
>>> ipa01 and ipa02 seem to be happy again, "getcert list" no longer displays any certificates out
>>> of date, and all certificates in need of renewal within 28 days has been renewed. The webui also
>>> started working again and things seem to be back to normal.
>>>
>>> ipa03 however is still having issues. I could not renew any certificates on this server to begin
>>> with, but I managed to renew the certificates for the directory servers by changing the xmlrpc
>>> url to another ipa server in /etc/ipa/default.conf and resubmitting these requests.
>>>
>>> "getcert resubmit -i <request-id" says SUBMITTING and the fails with
>>> NEED_GUIDANCE after a short while for the certificates for the PKI service.
>>>
>>>
>>> /var/log/messages says: "certmonger: #033[?1034h28800" and "python:
>>> Updated certificate for ipaCert not available".
>>>
>>>
>>> There is a lot of information in the /var/log/pki-ca/debug, but nothing
>>> that I can easily distinguish as an error from all the other output. Anything in particular I
>>> should look for?
>>
>> Ok, so this is a bug in IPA related to python readline. Garbage is
>> getting inserted and causing bad things to happen, https://fedorahosted.org/freeipa/ticket/4064
>>
>>
>> So the question is, are the certs available or not.
>>
>>
>> A number of the same certificates are shared amongst all the CAs. One
>> does the renewal and stuffs the result into cn=ca_renewal,cn=ipa,cn=etc,$SUFFIX. The other CAs
>> refer to that location for an updated cert and will load them if they are updated.
>>
>> Look to see if the certs are updated there. Given that you have 2
>> working masters I'm assuming that is the case, so it may just be a matter of fixing the python.
>>
>
> I could not get anywhere even after manually patching the python script as mentioned in the ticket
> you provided.
>
>
> I ended up removing and re-adding the replica during a maintenance window. For future reference,
> what I did was to remove the replica as per the Identity Management Guide on docs.redhat.com. I
> then re-created the replica installation file and installed the replica.
>
> At this point Certmonger managed to retrieve new certificates for the expired certificates, but it
> kept segfaulting when it attempted to save the certificate to disk. I restarted certmonger a few
> times, but certmonger just ended up segfaulting over and over. I decided to block the ipa server
> off the network and change the date back to before the certs expired. After the date was changed I
> restarted certmonger. Certmonger managed to save the certs successfully this time and a "getcert
> list" now displays only certificates with an expire date of 2015 or 2016 and a status of
> MONTORING.
>
> I changed the date back to correct date and time and removed the iptables rules. The replica now
> works just fine.
>
> Thank you for your assistance.

Sounds like https://bugzilla.redhat.com/show_bug.cgi?id=1032760

rob

More information about the Freeipa-users mailing list