[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Rob Crittenden rcritten at redhat.com
Wed Jun 22 14:26:16 UTC 2016 

Tomasz Torcz wrote:
> On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
>>>>> [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)
>>>>> [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
>>>>> [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError
>>>>>
>>>>>      How to fix those?
>>>>
>>>> You'll need to look at the dogtag debug log for the reason it threw a 500,
>>>> it's in /var/log/pki-tomcat/ca or something close to that.
>>>
>>>
>>>     I've looked into the logs but I'm not wiser.  Is there a setting to get
>>> rid of java traceback from logs and get more useful messages?  There seem
>>> to be a problem with SSL connection to port 636, maybe because it seems to use
>>> expired certificate?
>>
>> Not that I know of. The debug log is sure a firehose but you've identified
>> the problem.
>>
>>> $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl x509 -noout
>>> depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
>>> verify return:1
>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
>>> verify error:num=10:certificate has expired
>>> notAfter=Nov 17 12:19:28 2015 GMT
>>> verify return:1
>>> depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
>>> notAfter=Nov 17 12:19:28 2015 GMT
>>> verify return:1
>>> DONE
>>
>> Run getcert list and look at the expiration dates. What you want to do is
>> kill ntpd, set the date back to say a week before the oldest date, restart
>> the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
>> This should force a renewal attempt.
>
> Expiration date look fine:
>
> root at okda ~$ getcert list
> Number of certificates and requests being tracked: 1.
> Request ID '20131116123125':
>          status: CA_UNREACHABLE
>          ca-error: Server at https://okda.pipebreaker.pl/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Unable to communicate with CMS (503)).
>          stuck: no
>          key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>          certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
>          CA: IPA
>          issuer: CN=Certificate Authority,O=PIPEBREAKER.PL
>          subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
>          expires: 2017-12-10 19:44:31 UTC
>          principal name: HTTP/okda.pipebreaker.pl at PIPEBREAKER.PL
>          key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
>          eku: id-kp-serverAuth,id-kp-clientAuth
>          pre-save command:
>          post-save command: /usr/lib64/ipa/certmonger/restart_httpd
>          track: yes
>          auto-renew: yes
>
>
>    It's in 2017. The output seem quite short, on the other replica "getcert list" returns 9 certificates.

The 503 suggests that the CA didn't come up (service not available). 
This may be due to expired certs.

What you need to do is setup certmonger to track all the certificates 
properly and get things renewed. I'm away from my desk so can't provide 
any instructions on how to do this and they depend on whether or not 
this machine is the renewal master.

> P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't
>     make into FreeIPA 4.4.0 alpha. :-(

This is unrelated. I seriously doubt your CA is near expiration (my 
guess is it expires in 2033).

rob

More information about the Freeipa-users mailing list