[Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64

Thu Jan 8 19:16:13 UTC 2015

On 01/08/2015 07:54 PM, Rob Crittenden wrote:
> John Desantis wrote:
>> Hello all,
>>
>> I didn't reply to the list, so I'll forward in my response.
>>
>>>>> The only remaining hiccup is now the replica's certmonger service
>>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>>> /etc/httpd/alias.  Log snippets are below:
>>>>>
>>>>> Jan  7 12:17:02 python: certmonger restarted httpd
>>>>> Jan  7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>>> Jan  7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>>> Jan  7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>>> saved.
>>>>>
>>>>> The IPA services are running and the machine can be accessed (queries
>>>>> issued, web GUI, etc.)
>>>>>
>>>>> Would anyone have an idea of why a replica would have issues renewing
>>>>> the "ipaCert"?
>>>>
>>>> CCing Jan to advise, he is the most experienced in this area.
>>>
>>> Would file corruption within the file of the "Request ID" in
>>> /var/lib/certmonger/request have anything to do with this?
>>>
>>> autorenew=1
>>> monitor=1
>>> ca_name=dogtag-ipa-retrieve-agent-submit
>>> ca_profile=ipaCert
>>> submitted=20141228050011
>>> cert=ESC[?1034h-----BEGIN CERTIFICATE-----
>>>
>>> I checked a few other random client nodes (and the master) and none of
>>> them are showing this corruption in their requests.
>>>
>>> I attempted to fix the corruption (editing the file) and subsequently
>>> restart certmonger with no luck.
>>>
>>> Thanks,
>>> John DeSantis
>>>
>>
>> Thanks,
>> John DeSantis
>>
>> 2015-01-08 13:26 GMT-05:00 John Desantis <desantis at mail.usf.edu>:
>>> Hello all,
>>>
>>>>> The only remaining hiccup is now the replica's certmonger service
>>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>>> /etc/httpd/alias.  Log snippets are below:
>>>>>
>>>>> Jan  7 12:17:02 python: certmonger restarted httpd
>>>>> Jan  7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>>> Jan  7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>>> Jan  7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>>> saved.
>>>>>
>>>>> The IPA services are running and the machine can be accessed (queries
>>>>> issued, web GUI, etc.)
>>>>>
>>>>> Would anyone have an idea of why a replica would have issues renewing
>>>>> the "ipaCert"?
>>>>
>>>> CCing Jan to advise, he is the most experienced in this area.
>>>
>>> Would file corruption within the file of the "Request ID" in
>>> /var/lib/certmonger/request have anything to do with this?
>>>
>>> autorenew=1
>>> monitor=1
>>> ca_name=dogtag-ipa-retrieve-agent-submit
>>> ca_profile=ipaCert
>>> submitted=20141228050011
>>> cert=ESC[?1034h-----BEGIN CERTIFICATE-----
>>>
>>> I checked a few other random client nodes (and the master) and none of
>>> them are showing this corruption in their requests.
>>>
>>> I attempted to fix the corruption (editing the file) and subsequently
>>> restart certmonger with no luck.
>>>
>>> Thanks,
>>> John DeSantis
>
> Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064
>
> The change is quite small, you might try manually changing it.
>
> Then a certmonger restart might fix it.
>
> rob

Ah, yes, this one is nasty. As Rob said, this is likely
https://bugzilla.redhat.com/show_bug.cgi?id=1040009

I would suggest updating to RHEL-6, at least IPA (ipa-3.0.0-38.el6 or later), 
certmonger and selinux-policy as there were related fixes.

HTH,
Martin