[Freeipa-users] IPA 2.2 Certificate Renewal issue

Rob Crittenden rcritten at redhat.com
Tue Jun 7 18:43:10 UTC 2016 

Kay Zhou Y wrote:
> Hi Rob,
>
> Actually certmonger service is failed after restart it, but without its active the two 389-ds and apache certs could be renewed as well.. it's weird..
>
> root at ecnshlx3039-test2(SH):~ #systemctl status certmonger
> certmonger.service - Certificate monitoring and PKI enrollment
>            Loaded: loaded (/usr/lib/systemd/system/certmonger.service; disabled)
>            Active: failed (Result: exit-code) since Mon, 23 Jun 2014 00:31:11 +0200; 5s ago
>           Process: 2198 ExecStart=/usr/sbin/certmonger -S -p /var/run/certmonger.pid -n $OPTS (code=exited, status=1/FAILURE)
>            CGroup: name=systemd:/system/certmonger.service
>
> Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: 2014-06-23 00:31:11 [2198] Unable to set well-known bus name "org.fedorahosted.certmonger": (2).
> Jun 23 00:31:11 ecnshlx3039-test2.sh.cn.ao.ericsson.se certmonger[2198]: Error connecting to D-Bus.

I'm not sure why it can't connect to dbus. Is the messagebus service 
running?

> I have already renewed two 389-ds and apache certs  to 20160622, however , since there is no enough time for us before expiration. So we try to seek other workarounds, and one solution for us is disable expired certificate according to https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/troubleshooting-servers-and-replicas.html#expired-certs
> After test, it could work, but IPA command could not be used. But seems we can still get data from LDAP.
>
> If there is any other way we could use to disable such expired certs without impact from your side?

It's possible but it's hacky and it trains people to disregard bad 
certificates.

rob

>
> Thanks for your great support again :)
>
> BR//Kay
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Friday, June 03, 2016 5:34 AM
> To: Kay Zhou Y; freeipa-users at redhat.com
> Cc: Doris Hongmei; Xionglin Gu
> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>
> Kay Zhou Y wrote:
>> Hi Rob,
>>
>> We are using fedora 17.
>> And as you said, when I roll back time to when the CA subsystem and ipaCert are valid. Then restart ipatcl,  "pki-cad at pki-ca.service" is active as normal.
>> But these five certs could not renewed as before. (actually I always
>> restart ipa world after I roll back time, this
>> "pki-cad at pki-ca.service" should be active but I just ignore it
>> before... )
>
> With the time rolled back what I'd do is restart certmonger then run in a loop with a 1 second sleep ipa-getcert list and ensure that the statuses are changing to SUBMITTING, etc., and see what the final state is. certmonger logs to syslog so that might give some clues what is happening, and you can watch the dogtag logs to ensure the requests are being received, etc.
>
> rob
>
>>
>> Thanks,
>> BR//Kay
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Wednesday, June 01, 2016 10:37 PM
>> To: Kay Zhou Y; freeipa-users at redhat.com
>> Cc: Doris Hongmei; Xionglin Gu
>> Subject: Re: [Freeipa-users] IPA 2.2 Certificate Renewal issue
>>
>> Kay Zhou Y wrote:
>>> Hi Rob,
>>>
>>> 1.  I have made snapshots for this system for test, so NSS databases has been backed up.
>>>
>>> 2.  For the pki-cad service, I can't find it in my system, it shows there is no such service.
>>> but there is one service failed as below:
>>>
>>> root at ecnshlx3039-test2(SH):requests #systemctl status
>>> pki-cad at pki-ca.service pki-cad at pki-ca.service - PKI Certificate Authority Server pki-ca
>>>              Loaded: loaded (/lib/systemd/system/pki-cad at .service; enabled)
>>>              Active: failed (Result: exit-code) since Wed, 01 Jun 2016 06:28:53 +0200; 23min ago
>>>             Process: 2675 ExecStop=/usr/bin/pkicontrol stop ca %i (code=exited, status=1/FAILURE)
>>>             Process: 2525 ExecStart=/usr/bin/pkicontrol start ca %i (code=exited, status=0/SUCCESS)
>>>            Main PID: 2593 (code=exited, status=0/SUCCESS)
>>>              CGroup: name=systemd:/system/pki-cad at .service/pki-ca
>>>
>>> Jun 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]:
>>> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun
>>> 01 06:28:49 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2549]:
>>> pam_unix(runuser-l:session): session closed for user pkiuser Jun 01
>>> 06:28:52 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]:
>>> pam_unix(runuser-l:session): session opened for user pkius...d=0) Jun
>>> 01 06:28:53 ecnshlx3039-test2.sh.cn.ao.ericsson.se runuser[2694]:
>>> pam_unix(runuser-l:session): session closed for user pkiuser
>>>
>>> I can't start it normally, even the log just said:
>>> Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: pki-cad at pki-ca.service:
>>> control process exited, code=exited status=1 Jun  1 06:54:39 ecnshlx3039-test2 systemd[1]: Unit pki-cad at pki-ca.service entered failed state.
>>>
>>> I will google more to try to start it firstly.
>>
>> Ok, this is very confusing to me. What distribution are you running? I have the feeling you are running an extremely outdated version of Fedora.
>>
>> Yes, you need the CA up in order to get the certificates renewed. Look at catalina.out, the log "debug" and the selftests log for clues on why it won't start. You also need the PKI-IPA 389-ds instance running.
>>
>> And I guess you were just showing me the service name and such, but of course it won't start today with expired certs.
>>
>>>
>>> 3.  About the source of the output for getcert list:
>>>
>>> root at ecnshlx3039-test2(SH):requests #ll total 64 -rw-------. 1 root
>>> root 5698 Jun  1 06:06 20120704140859 -rw-------. 1 root root 5695
>>> Jun
>>> 1 06:06 20120704140922 -rw-------. 1 root root 5654 Jun  1 06:06
>>> 20120704141150 -rw-------. 1 root root 5107 Jun  1 06:39
>>> 20140605220249 -rw-------. 1 root root 4982 Jun  1 06:39
>>> 20160601043748 -rw-------. 1 root root 5144 Jun  1 06:39
>>> 20160601043749 -rw-------. 1 root root 5186 Jun  1 06:39
>>> 20160601043750 -rw-------. 1 root root 5126 Jun  1 06:39
>>> 20160601043751 root at ecnshlx3039-test2(SH):requests #
>>> root at ecnshlx3039-test2(SH):requests #grep post_certsave_command *
>>> 20120704140859:post_certsave_command=/usr/lib64/ipa/certmonger/restar
>>> t
>>> _dirsrv DRUTT-COM
>>> 20120704141150:post_certsave_command=/usr/lib64/ipa/certmonger/restar
>>> t _httpd root at ecnshlx3039-test2(SH):requests #grep
>>> pre_certsave_command
>>> * root at ecnshlx3039-test2(SH):requests #
>>>
>>> there are just two statements.
>>
>> Ok, that is fine then I think.
>>
>> rob
>>
>

More information about the Freeipa-users mailing list