[Freeipa-users] certificates not renewing CA_UNREACHEABLE

Mon Sep 19 07:05:57 UTC 2016

hi,

On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcritten at redhat.com> wrote:

> The 3 certs you list are the ones that are renewed via the IPA API (as
> opposed to the subsystem certs renewed directly by dogtag). I think the
> failures are all related. I had someone else report the CSR decoding
> failure and he just restarted IPA and that fixes things for him though it
> was a rather unsatisfying fix.
>
> What I'd do is this. Assuming each step works, move onto the next.
>
> 1. ipa cert-show 1
>
> The serial # picked more or less at random, we're testing connectivity and
> that the CA is up and operational.
>
> 2. I assume that getcert list | grep expire shows all certs currently
> valid? The IPA service certs expire in a month, how about the CA subsystem
> certs?
>
> 3. Is this the same server having problems talking to the CA due to the
> other NSS errors? If so what I'd do is restart httpd then immediately use
> ipa-getcert to resubmit the requests to try to get into that few minute
> window.
>
> If this is the same box you already have debugging enabled so seeing what
> that shows might be helpful.
>
> rob
>

yes, all certs are valid (see attachment getcert.txt).

So I restarted httpd, I could execute ipa cert-show 1 and get an answer,
inmediately after I run

$ sudo ipa-getcert resubmit -i 20121107212513
Resubmitting "20121107212513" to "IPA".

and now the status is the one you see in the attached getcert.txt file. The
server failed request, will retry.

I do not know if it's important, but I saw that the usercertificate
attribute of the pki user admin was expired.1

I attach the error_log of httpd as well.

-- 
--
Groeten,
natxo
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160919/3690fef7/attachment.htm>
-------------- next part --------------
Number of certificates and requests being tracked: 8.
Request ID '20121107212513':
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
	expires: 2016-10-12 10:49:24 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL
	track: yes
	auto-renew: yes
Request ID '20121107212532':
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
	expires: 2016-10-12 10:49:25 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
Request ID '20121107212548':
	status: CA_UNREACHABLE
	ca-error: Server failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https://kdc01.unix.iriszorg.nl:443/ca/agent/ca/doRevoke': (SEC_ERROR_BUSY) NSS could not shutdown. Objects are still in use.).
	stuck: yes
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
	expires: 2016-10-12 10:49:24 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/lib/ipa/certmonger/restart_httpd
	track: yes
	auto-renew: yes
Request ID '20130312123435':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin='289224738763'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=CA Audit,O=UNIX.IRISZORG.NL
	expires: 2018-09-03 12:24:14 UTC
	pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20130312123436':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin='289224738763'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=OCSP Subsystem,O=UNIX.IRISZORG.NL
	expires: 2018-09-03 12:23:14 UTC
	eku: id-kp-OCSPSigning
	pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20130312123437':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin='289224738763'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=CA Subsystem,O=UNIX.IRISZORG.NL
	expires: 2018-09-03 12:23:14 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: /usr/lib/ipa/certmonger/stop_pkicad
	post-save command: /usr/lib/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
	track: yes
	auto-renew: yes
Request ID '20130312123438':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=IPA RA,O=UNIX.IRISZORG.NL
	expires: 2018-09-03 12:23:14 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/lib/ipa/certmonger/renew_ra_cert
	track: yes
	auto-renew: yes
Request ID '20130312123439':
	status: MONITORING
	stuck: no
	key pair storage: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin='289224738763'
	certificate: type=NSSDB,location='/var/lib/pki-ca/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
	CA: dogtag-ipa-renew-agent
	issuer: CN=Certificate Authority,O=UNIX.IRISZORG.NL
	subject: CN=kdc01.unix.iriszorg.nl,O=UNIX.IRISZORG.NL
	expires: 2018-09-03 12:23:14 UTC
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: 
	track: yes
	auto-renew: yes
-------------- next part --------------
A non-text attachment was scrubbed...
Name: error_log
Type: application/octet-stream
Size: 2400723 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160919/3690fef7/attachment.obj>