[Freeipa-users] certificates not renewing CA_UNREACHEABLE

Fri Sep 16 14:22:01 UTC 2016

Natxo Asenjo wrote:
> hi,
>
>
> On Fri, Sep 16, 2016 at 10:34 AM, Martin Basti <mbasti at redhat.com
> <mailto:mbasti at redhat.com>> wrote:
>
>
>
>     On 16.09.2016 09:38, Natxo Asenjo wrote:
>>     hi,
>>
>>
>>     On Thu, Sep 15, 2016 at 1:03 PM, Natxo Asenjo
>>     <natxo.asenjo at gmail.c <mailto:natxo.asenjo at gmail.com>
>>
>>         On Thu, Sep 15, 2016 at 12:49 PM, Martin Basti
>>         <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>
>>
>>
>>             On 15.09.2016 12:44, Natxo Asenjo wrote:
>>>             hi,
>>>
>>>             On Thu, Sep 15, 2016 at 12:33 PM, Martin Basti
>>>             <mbasti at redhat.com <mailto:mbasti at redhat.com>> wrote:
>>>
>>>
>>>                 Hello,
>>>
>>>                 usually the most information can be found here
>>>                 /var/log/pki/pki-tomcat/ca/debug
>>>
>>>
>>>             mmm, in this centos 6.8 system that does not exist:
>>>
>>>             # ls -l /var/log/pki/pki-tomcat/ca/debug
>>>             ls: cannot access /var/log/pki/pki-tomcat/ca/debug: No
>>>             such file or directory
>>>
>>>
>>>             I do have a /var/log/pki-ca/debug
>>>
>>>
>>             Does it contain any information related to your issue?
>>
>>
>>         I have tried renewing the certificate:
>>
>>         ipa-getcert resubmit -i 20121107212513
>>
>>
>>         If I grep that file for that request id I find nothing recent,
>>         just in the ipaserver installation log
>>
>>         # cd /var/log
>>         # grep -ri 20121107212513 *.log
>>         ipaserver-install.log:2012-11-07T21:25:13Z DEBUG stdout=New
>>         tracking request "20121107212513" added.
>>
>>         # grep -ri 20121107212513 pki-ca
>>         #
>>
>>
>>     Any clues?
>>
>>
>>     --
>>     Groeten,
>>     natxo
>
>
>     Sorry, I'm quite lost here, maybe somebody from dogtag can help what
>     might be reason of those CA errors
>
>
>
> do I need to ask in the dogtag list?

You won't find any errors on this in the dogtag logs because it isn't 
getting that far.

The 3 certs you list are the ones that are renewed via the IPA API (as 
opposed to the subsystem certs renewed directly by dogtag). I think the 
failures are all related. I had someone else report the CSR decoding 
failure and he just restarted IPA and that fixes things for him though 
it was a rather unsatisfying fix.

What I'd do is this. Assuming each step works, move onto the next.

1. ipa cert-show 1

The serial # picked more or less at random, we're testing connectivity 
and that the CA is up and operational.

2. I assume that getcert list | grep expire shows all certs currently 
valid? The IPA service certs expire in a month, how about the CA 
subsystem certs?

3. Is this the same server having problems talking to the CA due to the 
other NSS errors? If so what I'd do is restart httpd then immediately 
use ipa-getcert to resubmit the requests to try to get into that few 
minute window.

If this is the same box you already have debugging enabled so seeing 
what that shows might be helpful.

rob