[Freeipa-users] IPA v3 Certificate not renewed
Rob Crittenden
rcritten at redhat.com
Thu Jun 4 14:37:44 UTC 2015
Junhe Jian wrote:
> Hello everyone,
>
> I’m new here and have problem with IPA Server
>
> our single IPA Server all Certificate was expired.
>
> Autorenewal not worked, so I read the docu
> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal and do manually
>
> my server is centos 6.4
>
> [root at be-ipasrv ~]# rpm -qa | grep ipa
>
> ipa-client-3.0.0-26.el6_4.4.x86_64
>
> ipa-server-3.0.0-26.el6_4.4.x86_64
>
> python-iniparse-0.3.1-2.1.el6.noarch
>
> ipa-python-3.0.0-26.el6_4.4.x86_64
>
> libipa_hbac-1.9.2-82.7.el6_4.x86_64
>
> libipa_hbac-python-1.9.2-82.7.el6_4.x86_64
>
> ipa-pki-common-theme-9.0.3-7.el6.noarch
>
> ipa-admintools-3.0.0-26.el6_4.4.x86_64
>
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>
> ipa-server-selinux-3.0.0-26.el6_4.4.x86_64
>
> I change the Domain name to EXAMPLE
>
> The 5 CAs: dogtag-ipa-renew-agent get new certificate and has status
> MONITORING.
>
> Only the last 3 CA: IPA (dirv-slapd-PKI-IPA, dirv-slapd-EXAMPLE,
> /etc/httpd/alias) not renew, hab Status CA_UNREACHABLE
>
> Number of certificates and requests being tracked: 8.
>
> Request ID '20130528090810':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=CA Audit,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:14:24 UTC
>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "auditSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090811':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=OCSP Subsystem,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-OCSPSigning
>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "ocspSigningCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090812':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=CA Subsystem,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command: /usr/lib64/ipa/certmonger/stop_pkicad
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ca_cert
> "subsystemCert cert-pki-ca"
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090813':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
> Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=IPA RA,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/renew_ra_cert
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090814':
>
> status: MONITORING
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB',pin='379816045864'
>
> certificate:
> type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
> cert-pki-ca',token='NSS Certificate DB'
>
> CA: dogtag-ipa-renew-agent
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN= EXAMPLE.de,O= EXAMPLE.DE
>
> expires: 2017-04-29 08:13:24 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090822':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
>
> stuck: yes
>
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-
> EXAMPLE -DE',nickname='Server-Cert',token='NSS Certificate
> DB',pinfile='/etc/dirsrv/slapd- EXAMPLE -DE/pwdfile.txt'
>
> certificate: type=NSSDB,location='/etc/dirsrv/slapd- EXAMPLE
> -DE',nickname='Server-Cert',token='NSS Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=example.de,O= EXAMPLE.DE
>
> expires: 2015-05-29 09:08:22 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv
> EXAMPLE -DE
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090849':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=example.de,O= EXAMPLE.DE
>
> expires: 2015-05-29 09:08:49 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090923':
>
> status: CA_UNREACHABLE
>
> ca-error: Server failed request, will retry: 4301 (RPC failed
> at server. Certificate operation cannot be completed: Unable to
> communicate with CMS (Internal Server Error)).
>
> stuck: yes
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O= EXAMPLE.DE
>
> subject: CN=example.de,O= EXAMPLE.DE
>
> expires: 2015-05-29 09:09:23 UTC
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>
> track: yes
>
> auto-renew: yes
>
> later I update the os to centos 6.6
>
> [root at be-ipasrv]# rpm -qa | grep ipa
>
> sssd-ipa-1.11.6-30.el6_6.4.x86_64
>
> ipa-admintools-3.0.0-42.el6.centos.x86_64
>
> ipa-python-3.0.0-42.el6.centos.x86_64
>
> python-iniparse-0.3.1-2.1.el6.noarch
>
> libipa_hbac-python-1.11.6-30.el6_6.4.x86_64
>
> ipa-pki-common-theme-9.0.3-7.el6.noarch
>
> ipa-server-3.0.0-42.el6.centos.x86_64
>
> ipa-client-3.0.0-42.el6.centos.x86_64
>
> ipa-server-selinux-3.0.0-42.el6.centos.x86_64
>
> libipa_hbac-1.11.6-30.el6_6.4.x86_64
>
> ipa-pki-ca-theme-9.0.3-7.el6.noarch
>
> i get same status of the last 3.
>
> Request ID '20130528090822':
>
> status: CA_UNREACHABLE
>
> ca-error: Server at https://example.de/ipa/xml
> <https://be-ipasrv.tibet.traffics-switch.de/ipa/xml> failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: Failure decoding Certificate Signing Request).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-EXAMPLE-DE/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-EXAMPLE-DE',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.DE
>
> subject: CN=example.de,O=EXAMPLE.DE
>
> expires: 2015-05-29 09:08:22 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090849':
>
> status: CA_UNREACHABLE
>
> ca-error: Server at https://example.de/ipa/xml
> <https://be-ipasrv.tibet.traffics-switch.de/ipa/xml> failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: Failure decoding Certificate Signing Request).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.DE
>
> subject: CN=example.de,O=EXAMPLE.DE
>
> expires: 2015-05-29 09:08:49 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> Request ID '20130528090923':
>
> status: CA_UNREACHABLE
>
> ca-error: Server at https://example.de/ipa/xml
> <https://be-ipasrv.tibet.traffics-switch.de/ipa/xml> failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: Failure decoding Certificate Signing Request).
>
> stuck: no
>
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>
> CA: IPA
>
> issuer: CN=Certificate Authority,O=EXAMPLE.DE
>
> subject: CN=example.de,O=EXAMPLE.DE
>
> expires: 2015-05-29 09:09:23 UTC
>
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>
> eku: id-kp-serverAuth,id-kp-clientAuth
>
> pre-save command:
>
> post-save command:
>
> track: yes
>
> auto-renew: yes
>
> i read all the post on redhat archive and goolge. I cannot find a solution.
>
> Anybody know the issue?
I'd suggest starting with the apache error log, /var/log/httpd/errors.
That should tell you what the Internal Error is.
rob
More information about the Freeipa-users
mailing list