[Freeipa-users] Multiple issues (weblogin, DNS) with 4.3.1
Tomasz Torcz
tomek at pipebreaker.pl
Thu Jun 30 10:11:08 UTC 2016
On Wed, Jun 22, 2016 at 10:26:16AM -0400, Rob Crittenden wrote:
> Tomasz Torcz wrote:
> > On Tue, Jun 21, 2016 at 01:38:19PM -0400, Rob Crittenden wrote:
> > > > > > [Sat Jun 18 18:59:11.337717 2016] [wsgi:error] [pid 748083] CertificateOperationError: Certificate operation cannot be completed: Unable to communicate with CMS (Internal Server Error)
> > > > > > [Sat Jun 18 18:59:11.337770 2016] [wsgi:error] [pid 748083]
> > > > > > [Sat Jun 18 18:59:11.338805 2016] [wsgi:error] [pid 748083] ipa: INFO: [jsonserver_session] admin at PIPEBREAKER.PL: cert_find(version=u'2.164'): CertificateOperationError
> > > > > >
> > > > > > How to fix those?
> > > > >
> > > > > You'll need to look at the dogtag debug log for the reason it threw a 500,
> > > > > it's in /var/log/pki-tomcat/ca or something close to that.
> > > >
> > > >
> > > > I've looked into the logs but I'm not wiser. Is there a setting to get
> > > > rid of java traceback from logs and get more useful messages? There seem
> > > > to be a problem with SSL connection to port 636, maybe because it seems to use
> > > > expired certificate?
> > >
> > > Not that I know of. The debug log is sure a firehose but you've identified
> > > the problem.
> > >
> > > > $ echo | openssl s_client -connect okda.pipebreaker.pl:636 | openssl x509 -noout
> > > > depth=1 O = PIPEBREAKER.PL, CN = Certificate Authority
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > verify error:num=10:certificate has expired
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > depth=0 O = PIPEBREAKER.PL, CN = okda.pipebreaker.pl
> > > > notAfter=Nov 17 12:19:28 2015 GMT
> > > > verify return:1
> > > > DONE
> > >
> > > Run getcert list and look at the expiration dates. What you want to do is
> > > kill ntpd, set the date back to say a week before the oldest date, restart
> > > the dirsrv, restart the pki-tomcat/pki-cad service then restart certmonger.
> > > This should force a renewal attempt.
>
> What you need to do is setup certmonger to track all the certificates
> properly and get things renewed. I'm away from my desk so can't provide any
> instructions on how to do this and they depend on whether or not this
> machine is the renewal master.
I've used instructions from
https://www.redhat.com/archives/freeipa-users/2015-October/msg00174.html
to remind certmonger about other certificates. I had to adjust paths:
-d /var/lib/pki/pki-tomcat/alias/
-B /usr/libexec/ipa/certmonger/stop_pkicad
and
-C '/usr/libexec/ipa/certmonger/renew_ca_cert "${nickname}"'
I've rolled back time and I'm waiting for certmonger to refresh
those certs:
Request ID '20160630083224':
status: MONITORING
subject: CN=CA Audit,O=PIPEBREAKER.PL
expires: 2015-11-06 09:42:50 UTC
Request ID '20160630083226':
status: MONITORING
subject: CN=CA Subsystem,O=PIPEBREAKER.PL
expires: 2015-11-06 09:42:49 UTC
Request ID '20160630083227':
status: MONITORING
subject: CN=okda.pipebreaker.pl,O=PIPEBREAKER.PL
expires: 2017-10-25 15:20:52 UTC
root at okda ca$ date
Thu Nov 5 11:39:41 CET 2015
It's been 2 hours and certificates are still not refreshed.
> > P.S. Unfortunately https://fedorahosted.org/pki/ticket/1752 (Renewing already expired CA certificate) didn't
> > make into FreeIPA 4.4.0 alpha. :-(
>
> This is unrelated. I seriously doubt your CA is near expiration (my guess is
> it expires in 2033).
I'm not sure about CA certificate itself, but "CA Subsystem" certificate is expired.
As far as I understand, 1752 is about refreshing certs by going directly through socket,
mitigating expired certificates.
--
Tomasz Torcz "Funeral in the morning, IDE hacking
xmpp: zdzichubg at chrome.pl in the afternoon and evening." - Alan Cox
More information about the Freeipa-users
mailing list