[Freeipa-users] CA: IPA certificates not renewing

Marc Wiatrowski wia at iglass.net
Mon Jun 13 20:05:32 UTC 2016 

Hello, I'm having issues with the 3 ipa certificates of type CA: IPA
renewing on 2 of 3 replicas.  Particularly on the 2 that are not the CA
master.  The other 5 certificates from getcert list do renew and all
certificates on the CA master do look to renew.

Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64  I've done
full updates and rebooted.

The failed renews look like:

[root at spider01a]$ getcert list -i 20141202144354
Number of certificates and requests being tracked: 8.
Request ID '20141202144354':
status: CA_UNREACHABLE
ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01a.iglass.net,O=IGLASS.NET
expires: 2016-12-02 14:38:45 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
track: yes
auto-renew: yes

[root at spider01a]$ getcert list -i 20141202144616
Number of certificates and requests being tracked: 8.
Request ID '20141202144616':
status: CA_UNREACHABLE
ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01a.iglass.net,O=IGLASS.NET
expires: 2016-12-02 14:38:43 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET
track: yes
auto-renew: yes

[root at spider01a]$ getcert list -i 20141202144733
Number of certificates and requests being tracked: 8.
Request ID '20141202144733':
status: CA_UNREACHABLE
ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
will retry: 4301 (RPC failed at server.  Certificate operation cannot be
completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=IGLASS.NET
subject: CN=spider01a.iglass.net,O=IGLASS.NET
expires: 2016-12-02 14:38:46 UTC
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes


From
[root at spider01a]$ getcert resubmit -i 20141202144354

On the replica issuing the resubmit

==> /var/log/httpd/access_log <==
192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1" 401
1370

==> /var/log/httpd/error_log <==
[Mon Jun 13 15:49:33 2016] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate
serial number 0x3ffe0010 not found)
[Mon Jun 13 15:49:33 2016] [error] ipa: INFO: host/
spider01a.iglass.net at IGLASS.NET:
cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET', add=True):
CertificateOperationError

==> /var/log/httpd/access_log <==
192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 200 262
192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET [13/Jun/2016:15:49:32
-0400] "POST /ipa/xml HTTP/1.1" 200 376

==> /var/log/pki-ca/system <==
2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet
caDisplayBySerial: Error encountered in DisplayBySerial. Error Record not
found.


On the CA master spider01o:

==> /var/log/httpd/access_log <==
192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1" 401
1370

==> krb5kdc.log <==
Jun 13 15:49:34 spider01o.iglass.net krb5kdc[1963](info): TGS_REQ (4 etypes
{18 17 16 23}) 192.168.177.2: ISSUE: authtime 1465847372, etypes {rep=18
tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET for ldap/
spider01o.iglass.net at IGLASS.NET

==> /var/log/httpd/error_log <==
[Mon Jun 13 15:49:34 2016] [error] ipa: ERROR:
ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid
Credential.)
[Mon Jun 13 15:49:34 2016] [error] ipa: INFO: host/
spider01a.iglass.net at IGLASS.NET:
cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET', add=True):
CertificateOperationError

==> /var/log/httpd/access_log <==
192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST
/ca/agent/ca/displayBySerial HTTP/1.1" 200 235
192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET [13/Jun/2016:15:49:33
-0400] "POST /ipa/xml HTTP/1.1" 200 349

==> /var/log/pki-ca/system <==
2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot authenticate
agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA RA,O=IGLASS.NET.
Error: User not found


I realize they expire at the end of the year, but I've had my certificates
expire before and would rather not go through that again.  Any idea on
what's wrong or suggestions on where to look would be appreciated.

Thanks,
Marc
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160613/99fcb82e/attachment.htm>

More information about the Freeipa-users mailing list