[Freeipa-users] CA: IPA certificates not renewing
Rob Crittenden
rcritten at redhat.com
Tue Jun 14 15:22:58 UTC 2016
Marc Wiatrowski wrote:
> Hello, I'm having issues with the 3 ipa certificates of type CA: IPA
> renewing on 2 of 3 replicas. Particularly on the 2 that are not the CA
> master. The other 5 certificates from getcert list do renew and all
> certificates on the CA master do look to renew.
>
> Both servers running ipa-server-3.0.0-50.el6.centos.1.x86_64 I've done
> full updates and rebooted.
Can you check on the replication status for each CA?
$ ipa-csreplica-manage list -v ipa.example.com
The hostname is important because including that will show the
agreements that host has. Do this for each master with a CA.
The CA being asked to do the renewal is unaware of the current serial
number so it is refusing to proceed.
rob
>
> The failed renews look like:
>
> [root at spider01a]$ getcert list -i 20141202144354
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144354':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe0010 not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01a.iglass.net
> <http://spider01a.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-12-02 14:38:45 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv PKI-IPA
> track: yes
> auto-renew: yes
>
> [root at spider01a]$ getcert list -i 20141202144616
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144616':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe000f not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-IGLASS-NET/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-IGLASS-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01a.iglass.net
> <http://spider01a.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-12-02 14:38:43 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_dirsrv IGLASS-NET
> track: yes
> auto-renew: yes
>
> [root at spider01a]$ getcert list -i 20141202144733
> Number of certificates and requests being tracked: 8.
> Request ID '20141202144733':
> status: CA_UNREACHABLE
> ca-error: Server at https://spider01a.iglass.net/ipa/xml failed request,
> will retry: 4301 (RPC failed at server. Certificate operation cannot be
> completed: EXCEPTION (Certificate serial number 0x3ffe0011 not found)).
> stuck: no
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=IGLASS.NET <http://IGLASS.NET>
> subject: CN=spider01a.iglass.net
> <http://spider01a.iglass.net>,O=IGLASS.NET <http://IGLASS.NET>
> expires: 2016-12-02 14:38:46 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/lib64/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
> From
> [root at spider01a]$ getcert resubmit -i 20141202144354
>
> On the replica issuing the resubmit
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:32 -0400] "POST /ipa/xml HTTP/1.1"
> 401 1370
>
> ==> /var/log/httpd/error_log <==
> [Mon Jun 13 15:49:33 2016] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Certificate
> serial number 0x3ffe0010 not found)
> [Mon Jun 13 15:49:33 2016] [error] ipa: INFO:
> host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>:
> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>', add=True):
> CertificateOperationError
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 262
> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET> [13/Jun/2016:15:49:32 -0400]
> "POST /ipa/xml HTTP/1.1" 200 376
>
> ==> /var/log/pki-ca/system <==
> 2508.TP-Processor6 - [13/Jun/2016:15:49:33 EDT] [3] [3] Servlet
> caDisplayBySerial: Error encountered in DisplayBySerial. Error Record
> not found.
>
>
> On the CA master spider01o:
>
> ==> /var/log/httpd/access_log <==
> 192.168.176.2 - - [13/Jun/2016:15:49:33 -0400] "POST /ipa/xml HTTP/1.1"
> 401 1370
>
> ==> krb5kdc.log <==
> Jun 13 15:49:34 spider01o.iglass.net <http://spider01o.iglass.net>
> krb5kdc[1963](info): TGS_REQ (4 etypes {18 17 16 23}) 192.168.177.2
> <http://192.168.177.2>: ISSUE: authtime 1465847372, etypes {rep=18
> tkt=18 ses=18}, host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET> for
> ldap/spider01o.iglass.net at IGLASS.NET
> <mailto:spider01o.iglass.net at IGLASS.NET>
>
> ==> /var/log/httpd/error_log <==
> [Mon Jun 13 15:49:34 2016] [error] ipa: ERROR:
> ipaserver.plugins.dogtag.ra.get_certificate(): EXCEPTION (Invalid
> Credential.)
> [Mon Jun 13 15:49:34 2016] [error] ipa: INFO:
> host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>:
> cert_request(u'MIIDsTCCApkCAQAwNDETMBEGA1UEChMKSUdMQVNTLk5FVDEdMBsGA1UEAxMUc3BpZGVyMDFhLml...UVrN8lbKn17V5COjnj6k0mdbz3KptL0UI/l0BPlFBWGN5MFYaDx2F+y6LWv/aXeu2V4E6LA==',
> principal=u'dogtagldap/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET>', add=True):
> CertificateOperationError
>
> ==> /var/log/httpd/access_log <==
> 192.168.177.2 - - [13/Jun/2016:15:49:34 -0400] "POST
> /ca/agent/ca/displayBySerial HTTP/1.1" 200 235
> 192.168.176.2 - host/spider01a.iglass.net at IGLASS.NET
> <mailto:spider01a.iglass.net at IGLASS.NET> [13/Jun/2016:15:49:33 -0400]
> "POST /ipa/xml HTTP/1.1" 200 349
>
> ==> /var/log/pki-ca/system <==
> 2231.TP-Processor3 - [13/Jun/2016:15:49:34 EDT] [6] [3] Cannot
> authenticate agent with certificate Serial 0x5ffc0008 Subject DN CN=IPA
> RA,O=IGLASS.NET <http://IGLASS.NET>. Error: User not found
>
>
> I realize they expire at the end of the year, but I've had my
> certificates expire before and would rather not go through that again.
> Any idea on what's wrong or suggestions on where to look would be
> appreciated.
>
> Thanks,
> Marc
>
>
>
More information about the Freeipa-users
mailing list