[Freeipa-users] Confused with certificate renewal ipa-server-3.0.0.0-37.el6.x86_64

John Desantis desantis at mail.usf.edu
Thu Jan 8 20:12:27 UTC 2015 

Martin, Rob, and Nalin,

The patch worked for me
(https://git.fedorahosted.org/cgit/freeipa.git/commit/?id=1357eade4c5086e6c837a49f3008616317f88e5f),
thank you so much for the assistance!

The process was simple.  I'll quickly outline it for other users faced
with the same issue.

1.)  Apply patch.
2.)  Ensure certmonger wasn't running (in my case it just crashed
after a few minutes);
3.)  Edit the request in question in /var/lib/certmonger/requests to
remove the corruption;
4.)  Restart certmonger.

Again, I really appreciate the assistance on such a great product.
Obviously, there would be pizza and beer if you were all local!

Thanks,
John DeSantis

2015-01-08 14:16 GMT-05:00 Martin Kosek <mkosek at redhat.com>:
> On 01/08/2015 07:54 PM, Rob Crittenden wrote:
>>
>> John Desantis wrote:
>>>
>>> Hello all,
>>>
>>> I didn't reply to the list, so I'll forward in my response.
>>>
>>>>>> The only remaining hiccup is now the replica's certmonger service
>>>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>>>> /etc/httpd/alias.  Log snippets are below:
>>>>>>
>>>>>> Jan  7 12:17:02 python: certmonger restarted httpd
>>>>>> Jan  7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>>>> Jan  7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>>>> Jan  7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>>>> saved.
>>>>>>
>>>>>> The IPA services are running and the machine can be accessed (queries
>>>>>> issued, web GUI, etc.)
>>>>>>
>>>>>> Would anyone have an idea of why a replica would have issues renewing
>>>>>> the "ipaCert"?
>>>>>
>>>>>
>>>>> CCing Jan to advise, he is the most experienced in this area.
>>>>
>>>>
>>>> Would file corruption within the file of the "Request ID" in
>>>> /var/lib/certmonger/request have anything to do with this?
>>>>
>>>> autorenew=1
>>>> monitor=1
>>>> ca_name=dogtag-ipa-retrieve-agent-submit
>>>> ca_profile=ipaCert
>>>> submitted=20141228050011
>>>> cert=ESC[?1034h-----BEGIN CERTIFICATE-----
>>>>
>>>> I checked a few other random client nodes (and the master) and none of
>>>> them are showing this corruption in their requests.
>>>>
>>>> I attempted to fix the corruption (editing the file) and subsequently
>>>> restart certmonger with no luck.
>>>>
>>>> Thanks,
>>>> John DeSantis
>>>>
>>>
>>> Thanks,
>>> John DeSantis
>>>
>>> 2015-01-08 13:26 GMT-05:00 John Desantis <desantis at mail.usf.edu>:
>>>>
>>>> Hello all,
>>>>
>>>>>> The only remaining hiccup is now the replica's certmonger service
>>>>>> keeps dying while failing to re-issue the "ipaCert" in
>>>>>> /etc/httpd/alias.  Log snippets are below:
>>>>>>
>>>>>> Jan  7 12:17:02 python: certmonger restarted httpd
>>>>>> Jan  7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
>>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
>>>>>> Jan  7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
>>>>>> Certificate DB" in database "/etc/httpd/alias" is no longer valid.
>>>>>> Jan  7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
>>>>>> Certificate DB" in database "/etc/httpd/alias" issued by CA but not
>>>>>> saved.
>>>>>>
>>>>>> The IPA services are running and the machine can be accessed (queries
>>>>>> issued, web GUI, etc.)
>>>>>>
>>>>>> Would anyone have an idea of why a replica would have issues renewing
>>>>>> the "ipaCert"?
>>>>>
>>>>>
>>>>> CCing Jan to advise, he is the most experienced in this area.
>>>>
>>>>
>>>> Would file corruption within the file of the "Request ID" in
>>>> /var/lib/certmonger/request have anything to do with this?
>>>>
>>>> autorenew=1
>>>> monitor=1
>>>> ca_name=dogtag-ipa-retrieve-agent-submit
>>>> ca_profile=ipaCert
>>>> submitted=20141228050011
>>>> cert=ESC[?1034h-----BEGIN CERTIFICATE-----
>>>>
>>>> I checked a few other random client nodes (and the master) and none of
>>>> them are showing this corruption in their requests.
>>>>
>>>> I attempted to fix the corruption (editing the file) and subsequently
>>>> restart certmonger with no luck.
>>>>
>>>> Thanks,
>>>> John DeSantis
>>
>>
>> Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064
>>
>> The change is quite small, you might try manually changing it.
>>
>> Then a certmonger restart might fix it.
>>
>> rob
>
>
> Ah, yes, this one is nasty. As Rob said, this is likely
> https://bugzilla.redhat.com/show_bug.cgi?id=1040009
>
> I would suggest updating to RHEL-6, at least IPA (ipa-3.0.0-38.el6 or
> later), certmonger and selinux-policy as there were related fixes.
>
> HTH,
> Martin

More information about the Freeipa-users mailing list