[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1
Tomasz Torcz
tomek at pipebreaker.pl
Wed Jun 22 08:28:12 UTC 2016
On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)
> > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError
> > > >
> > > > How to fix those?
> > >
> > > You'll need to look at the dogtag debug log for the reason it threw a 500,
> > > it's in /var/log/pki-tomcat/ca or something close to that.
> >
> >
> > I've looked into the logs but I'm not wiser. Is there a setting to get
> > rid of java traceback from logs and get more useful messages? There seem
> > to be a problem with SSL connection to port 636, maybe because it seems to use
> > expired certificate?
>
> Not that I know of. The debug log is sure a firehose but you've identified
> the problem.
>
> > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout
> > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > verify return:1
> > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > verify error:num=10:certificate has expired
> > notAfter=Nov 17 12:19:28 2015 GMT
> > verify return:1
> > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > notAfter=Nov 17 12:19:28 2015 GMT
> > verify return:1
> > DONE
>
> Run getcert list and look at the expiration dates. What you want to do is
> kill ntpd, set the date back to say a week before the oldest date, restart
> the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
> This should force a renewal attempt.
Expiration date look fine:
root at okda ~$ getcert list
Number of certificates and requests being tracked: 1.
Request ID '20131116123125':
status: CA_UNREACHABLE
ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed request, will retry: 4301 (RPC failed at server. Certificate operation cannot be completed: Unable to communicate with CMS (503)).
stuck: no
key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
expires: 2017-12-10 19:44:31 UTC
principal name: HTTP/okda.pipebreaker.pl at PIPEBREAKER.PL
key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/lib64/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
It's in 2017. The output seem quite short, on the other replica "getcert list" returns 9 certificates.
P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't
make into FreeIPA 4.4.0 alpha. :-(
--
Tomasz Torcz Once you've read the dictionary,
xmpp: zdzichubg at chrome.pl every other book is just a remix.
More information about the Freeipa-users
mailing list