[Freeipa-users] IPA 2.2 Certificate Renewal issue

Rob Crittenden rcritten at redhat.com
Wed Jun 1 14:36:55 UTC 2016 

Kay Zhou Y wrote:
> Hi Rob,
>
> 1.  I have made snapshots for this system for test, so NSS databases has been backed up.
>
> 2.  For the pki-cad service, I can't find it in my system, it shows there is no such service.
> but there is one service failed as below:
>
> root at ecnshlx3039-test2(SH):requests #systemctl status pki-cad at pki-ca.service
> pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
>            Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled)
>            Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago
>           Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE)
>           Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS)
>          Main PID: 2593 (code=exited, status=0/SUCCESS)
>            CGroup: name=systemd:/system/pki-cad at .service/pki-ca
>
> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session opened for user pkius...d=0)
> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]: pam_unix(runuser-l:session): session closed for user pkiuser
> Jun 01 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session opened for user pkius...d=0)
> Jun 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]: pam_unix(runuser-l:session): session closed for user pkiuser
>
> I can't start it normally, even the log just said:
> Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service: control process exited, code=exited status=1
> Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state.
>
> I will google more to try to start it firstly.

Ok, this is very confusing to me. What distribution are you running? I 
have the feeling you are running an extremely outdated version of Fedora.

Yes, you need the CA up in order to get the certificates renewed. Look 
at catalina.out, the log "debug" and the selftests log for clues on why 
it won't start. You also need the PKI-IPA 389-ds instance running.

And I guess you were just showing me the service name and such, but of 
course it won't start today with expired certs.

>
> 3.  About the source of the output for getcert list:
>
> root at ecnshlx3039-test2(SH):requests #ll
> total 64
> -rw-------. 1 root root 5698 Jun  1 06:06 20120704140859
> -rw-------. 1 root root 5695 Jun  1 06:06 20120704140922
> -rw-------. 1 root root 5654 Jun  1 06:06 20120704141150
> -rw-------. 1 root root 5107 Jun  1 06:39 20140605220249
> -rw-------. 1 root root 4982 Jun  1 06:39 20160601043748
> -rw-------. 1 root root 5144 Jun  1 06:39 20160601043749
> -rw-------. 1 root root 5186 Jun  1 06:39 20160601043750
> -rw-------. 1 root root 5126 Jun  1 06:39 20160601043751
> root at ecnshlx3039-test2(SH):requests #
> root at ecnshlx3039-test2(SH):requests #grep post_certsave_command *
> 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restart_dirsrv DRUTT-COM
> 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restart_httpd
> root at ecnshlx3039-test2(SH):requests #grep pre_certsave_command *
> root at ecnshlx3039-test2(SH):requests #
>
> there are just two statements.

Ok, that is fine then I think.

rob

More information about the Freeipa-users mailing list