[Freeipa-users] Certificate operation cannot be completed: Unable to communicate with CMS (Not Found)
Sina Owolabi
notify.sina at gmail.com
Tue May 19 22:31:02 UTC 2015
Another key difference I noticed is that the problematic certs have
CA:IPA in them, while the working certs have CA:
dogtag-ipa-retrieve-agent-submit.
getcert list
Number of certificates and requests being tracked: 8.
Request ID '20130524104636':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104731':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=CA Audit,O=MYDOM.COM
expires: 2015-04-29 23:48:46 UTC
key usage: digitalSignature,nonRepudiation
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104732':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=OCSP Subsystem,O=MYDOM.COM
expires: 2015-04-29 23:48:45 UTC
key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
eku: id-kp-OCSPSigning
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104733':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=CA Subsystem,O=MYDOM.COM
expires: 2015-04-29 23:48:46 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104734':
status: MONITORING
stuck: no
key pair storage:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB',pin='386562502473'
certificate:
type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert
cert-pki-ca',token='NSS Certificate DB'
CA: dogtag-ipa-renew-agent
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2017-04-06 09:41:48 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104828':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
(SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:32 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524104917':
status: CA_UNREACHABLE
ca-error: Server at https://dc.mydom.com/ipa/xml failed
request, will retry: 907 (RPC failed at server. cannot connect to
'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
expired.).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=dc.mydom.com,O=MYDOM.COM
expires: 2015-05-25 10:12:33 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
Request ID '20130524105011':
status: CA_WORKING
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS
Certificate DB'
CA: dogtag-ipa-retrieve-agent-submit
issuer: CN=Certificate Authority,O=MYDOM.COM
subject: CN=IPA RA,O=MYDOM.COM
expires: 2015-04-29 23:49:29 UTC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
On Tue, May 19, 2015 at 10:52 PM, Sina Owolabi <notify.sina at gmail.com> wrote:
> Hi Rob
>
>
> Thanks!
> I noticed that the problematic records have their expiration in the
> future! And I also do not have pki-tomcatd, it's pki-cad.
>
> From getcert list, the troublesome IDs are:
>
> Request ID '20130524104828':
> status: CA_UNREACHABLE
> ca-error: Server at https://dc.mydom.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server. cannot connect to
> 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -8053]
> (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-MYDOM-COM/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-MYDOM-COM',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MYDOM.COM
> subject: CN=dc.mydom.com,O=MYDOM.COM
> expires: 2015-05-25 10:12:32 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
> Request ID '20130524104917':
> status: CA_UNREACHABLE
> ca-error: Server at https://dc.mydom.com/ipa/xml failed
> request, will retry: 907 (RPC failed at server. cannot connect to
> 'https://dc.mydom.com:443/ca/agent/ca/displayBySerial': [Errno -12269]
> (SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as
> expired.).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=MYDOM.COM
> subject: CN=dc.mydom.com,O=MYDOM.COM
> expires: 2015-05-25 10:12:33 UTC
> key usage:
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command:
> track: yes
> auto-renew: yes
>
> On Tue, May 19, 2015 at 4:25 PM, Rob Crittenden <rcritten at redhat.com> wrote:
>> Sina Owolabi wrote:
>>>
>>> Hi Rob
>>>
>>> Ive been to the URL but its a little difficult applying these commands
>>> to RHEL6 systems.
>>> For instance there is no /etc/pki-tomcat directory in RHEL6, and I
>>> cannot find the ipa.crt
>>>
>>> Im sure as a noob I am overlooking some very obvious stuff, but could
>>> you please guide me on what to do?
>>
>>
>> Sorry, I think I pointed you at the wrong page. Check out
>> http://www.freeipa.org/page/IPA_2x_Certificate_Renewal
>>
>> Your CA subsystem are expired, or nearly expired. They are valid for two
>> years. Based on the request ID in the snippet you posted at least some are
>> valid for another few days.
>>
>> What I'd suggest is to send the machine back in time and restart the
>> services. This should bring things up so that certmonger can do the renewal:
>>
>> # ipactl stop
>> # /sbin/service ntpd stop
>> # date 0501hhm where hhmm are the current hour and minute
>> # ipactl start
>>
>> Hopefully ntpd isn't started by ipactl. If it is then it will undo your
>> going back in time, and you'll need to start the services manually:
>>
>> # service dirsrv at YOURREALM start
>> # service krb5kdc
>> # service httpd start
>> # service pki-tomcatd start
>>
>> Restart certmonger
>>
>> # service certmonger restart
>>
>> Wait a bit
>>
>> # getcert list
>>
>> Watch the status. They should go to MODIFIED
>>
>> Once done:
>>
>> # ipactl stop
>>
>> Return date to present, either by restarting ntpd or date or whatever method
>> you'd like.
>>
>> I'm taking a completely wild guess on the date to go back to. The expiration
>> date is listed in the getcert output. I'd go back a week before the oldest
>> expiration.
>>
>> rob
>>
More information about the Freeipa-users
mailing list