[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1

Tomasz Torcz tomek at pipebreaker.pl
Thu Jun 30 10:11:08 UTC 2016 

On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote:
> Tomasz Torcz wrote:
> > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)
> > > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError
> > > > > > 
> > > > > >      How to fix those?
> > > > > 
> > > > > You'll need to look at the dogtag debug log for the reason it threw a 500,
> > > > > it's in /var/log/pki-tomcat/ca or something close to that.
> > > > 
> > > > 
> > > >     I've looked into the logs but I'm not wiser.  Is there a setting to get
> > > > rid of java traceback from logs and get more useful messages?  There seem
> > > > to be a problem with SSL connection to port 636, maybe because it seems to use
> > > > expired certificate?
> > > 
> > > Not that I know of. The debug log is sure a firehose but you've identified
> > > the problem.
> > > 
> > > > $ echo | openssl s_client  -connect okda.pipebreaker.pl:636  | openssl x509 -noout
> > > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > verify error:num=10:certificate has expired
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > DONE
> > > 
> > > Run getcert list and look at the expiration dates. What you want to do is
> > > kill ntpd, set the date back to say a week before the oldest date, restart
> > > the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
> > > This should force a renewal attempt.
> 
> What you need to do is setup certmonger to track all the certificates
> properly and get things renewed. I'm away from my desk so can't provide any
> instructions on how to do this and they depend on whether or not this
> machine is the renewal master.


   I've used instructions from 
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html
to remind certmonger about other certificates. I had to adjust paths:
-d /var/lib/pki/pki-tomcat/alias/
-B /usr/libexec/ipa/certmonger/stop_pkicad 
and
-C '/usr/libexec/ipa/certmonger/renew_ca_cert "${nickname}"'

I've rolled back time and I'm waiting for certmonger to refresh
those certs:

Request ID '20160630083224':
        status: MONITORING
        subject: CN=CA Audit,O=PIPEBREAKER.PL
        expires: 2015-11-06 09:42:50 UTC
Request ID '20160630083226':
        status: MONITORING
        subject: CN=CA Subsystem,O=PIPEBREAKER.PL
        expires: 2015-11-06 09:42:49 UTC
Request ID '20160630083227':
        status: MONITORING
        subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
        expires: 2017-10-25 15:20:52 UTC
root at okda ca$ date
Thu Nov  5 11:39:41 CET 2015

It's been 2 hours and certificates are still not refreshed.


 
> > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't
> >     make into FreeIPA 4.4.0 alpha. :-(
> 
> This is unrelated. I seriously doubt your CA is near expiration (my guess is
> it expires in 2033).

  I'm not sure about CA certificate itself, but "CA Subsystem" certificate is expired.
As far as I understand, 1752 is about refreshing certs by going directly through socket,
mitigating expired certificates.

-- 
Tomasz Torcz                "Funeral in the morning, IDE hacking
xmpp: zdzichubg at chrome.pl    in the afternoon and evening." - Alan Cox

More information about the Freeipa-users mailing list