[Freeipa-users] certificates not renewing CA_UNREACHEABLE

Rob Crittenden rcritten at redhat.com
Mon Sep 19 15:27:39 UTC 2016 

Natxo Asenjo wrote:
> hi,
>
>
> On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <rcritten at redhat.com
> <mailto:rcritten at redhat.com>> wrote:
>
>     The 3 certs you list are the ones that are renewed via the IPA API
>     (as opposed to the subsystem certs renewed directly by dogtag). I
>     think the failures are all related. I had someone else report the
>     CSR decoding failure and he just restarted IPA and that fixes things
>     for him though it was a rather unsatisfying fix.
>
>     What I'd do is this. Assuming each step works, move onto the next.
>
>     1. ipa cert-show 1
>
>     The serial # picked more or less at random, we're testing
>     connectivity and that the CA is up and operational.
>
>     2. I assume that getcert list | grep expire shows all certs
>     currently valid? The IPA service certs expire in a month, how about
>     the CA subsystem certs?
>
>     3. Is this the same server having problems talking to the CA due to
>     the other NSS errors? If so what I'd do is restart httpd then
>     immediately use ipa-getcert to resubmit the requests to try to get
>     into that few minute window.
>
>     If this is the same box you already have debugging enabled so seeing
>     what that shows might be helpful.
>
>     rob
>
>
>
> yes, all certs are valid (see attachment getcert.txt).
>
> So I restarted httpd, I could execute ipa cert-show 1 and get an answer,
> inmediately after I run
>
> $ sudo ipa-getcert resubmit -i 20121107212513
> Resubmitting "20121107212513" to "IPA".
>
> and now the status is the one you see in the attached getcert.txt file.
> The server failed request, will retry.
>
> I do not know if it's important, but I saw that the usercertificate
> attribute of the pki user admin was expired.1
>
> I attach the error_log of httpd as well.

Ok, how about we work around the problem.

Since it is failing on the revocation what you might try is removing the 
userCertificate value from the ldap/kdc01.unix.iriszorg.nl service entry.

I think this will work:

$ ipa service-show ldap/kdc01.unix.iriszorg.nl |grep Serial
<note this down for later>

$ ipa service-mod --certificate= ldap/kdc01.unix.iriszorg.nl

If this doesn't work you can use ldapmodify to delete the 
usercertificate value.

This will remove the certificate value so there is nothing to revoke and 
a new cert will be saved (hopefully).

Now try to resubmit the request via certmonger.

It if works then you can run ipa cert-revooke <old serial #>

It isn't a great answer long-term because it is really just working 
around the problem but it should get the certs renewed.

rob

More information about the Freeipa-users mailing list