[Freeipa-users] Replica created with expired certs
Rob Crittenden
rcritten at redhat.com
Fri Sep 30 08:49:15 UTC 2016
Jim Richard wrote:
> another interesting thing, my httpd/error_logs are constantly getting
> spammed with: (I removed the stuff between the single quotes)
>
> Notice those names don’t match, should they?
>
> Me thinks not since those “principal=“ items are ALMOST all hosts that
> no longer exist in the FreeIPA system. I rare few do exist.
>
> So, that’s weird :)
I suspect that certmonger is still tracking certificate(s) on those
hosts. You should be able to clear things up on those hosts with
something like:
# ipa-getcert list
# ipa-getcert stop-tracking -i <request_id found above>
It's hard to say if the hostname mismatch is expected or not, it depends
on how the requests were done initially. The first value in the log
represents the principal that did the BIND, so the host to look on is
aerospike-cl1-203.nym1.placeiq.net. The second hostname is the principal
that the certificate is being requested _for_. This is basically a
delegated request.
rob
>
> [Thu Sep 29 20:44:59 2016] [error] ipa: INFO:
> host/aerospike-cl1-203.nym1.placeiq.net at PLACEIQ.NET
> <mailto:host/aerospike-cl1-203.nym1.placeiq.net at placeiq.net>:
> cert_request(u’…………………..',
> principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net at PLACEIQ.NET
> <mailto:principal=u'host/sbtt-nyc1-028.thum01.nym1.placeiq.net at placeiq.net>',
> add=True): CertificateOperationError
>
> [Thu Sep 29 20:45:06 2016] [error] ipa: INFO:
> host/aerospike-cl2-210.nym1.placeiq.net at PLACEIQ.NET
> <mailto:host/aerospike-cl2-210.nym1.placeiq.net at placeiq.net>:
> cert_request(u’…………………..',
> principal=u'host/017.prod07.nym1.placeiq.net at PLACEIQ.NET
> <mailto:principal=u'host/017.prod07.nym1.placeiq.net at placeiq.net>',
> add=True): CertificateOperationError
>
> [Thu Sep 29 20:45:09 2016] [error] ipa: INFO:
> host/adsgateway-14.nym1.placeiq.net at PLACEIQ.NET
> <mailto:host/adsgateway-14.nym1.placeiq.net at placeiq.net>:
> cert_request(u’……………………...',
> principal=u'host/025.prod07.nym1.placeiq.net at PLACEIQ.NET
> <mailto:principal=u'host/025.prod07.nym1.placeiq.net at placeiq.net>',
> add=True): CertificateOperationError
>
> [Thu Sep 29 20:45:29 2016] [error] ipa: INFO:
> host/ttsandbox-022.nym1.placeiq.net at PLACEIQ.NET
> <mailto:host/ttsandbox-022.nym1.placeiq.net at placeiq.net>:
> cert_request(u’……………………….',
> principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net at PLACEIQ.NET
> <mailto:principal=u'host/sbtt-nyc1-022.thum01.nym1.placeiq.net at placeiq.net>',
> add=True): CertificateOperationError
>
>
>
>
>
>
> <http://www.placeiq.com/><http://www.placeiq.com/><http://www.placeiq.com/>
> Jim Richard
> <https://twitter.com/placeiq><https://twitter.com/placeiq><https://twitter.com/placeiq>
> <https://www.facebook.com/PlaceIQ><https://www.facebook.com/PlaceIQ>
> <https://www.linkedin.com/company/placeiq><https://www.linkedin.com/company/placeiq>
> SYSTEM ADMINISTRATOR III
> /(646) 338-8905 /
>
>
> <http://www.placeiq.com/2015/05/26/placeiq-named-winner-of-prestigious-2015-oracle-data-cloud-activate-award/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2015/12/18/accuracy-vs-precision-in-location-data-mma-webinar/><http://placeiq.com/2016/03/08/measuring-addressable-tv-campaigns-is-now-possible/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-advertising-initiative-nai-as-100th-member/><http://placeiq.com/2016/04/13/placeiq-joins-the-network-a!
dvertising
-initiative-nai-as-100th-member/>PlaceIQ:Location
> Data Accuracy
> <http://pages.placeiq.com/Location-Data-Accuracy-Whitepaper-Download.html?utm_source=Signature&utm_medium=Email&utm_campaign=AccuracyWP>
>
>
>
>> On Sep 29, 2016, at 8:11 AM, Rob Crittenden <rcritten at redhat.com
>> <mailto:rcritten at redhat.com>> wrote:
>>
>> Natxo Asenjo wrote:
>>> hi Jim,
>>>
>>> On Thu, Sep 29, 2016 at 7:37 AM, Jim Richard <jrichard at placeiq.com
>>> <mailto:jrichard at placeiq.com>
>>> <mailto:jrichard at placeiq.com>> wrote:
>>>
>>> Thanks Rob, that worked.
>>>
>>> Still on the subject of certs, any idea how to solve this error:
>>>
>>> Certificate format error: (SEC_ERROR_LEGACY_DATABASE) The
>>> certificate/key database is in an old, unsupported format.
>>>
>>> I see that in the gui when querying hosts as well as from cli when I
>>> ipa-show or ipa-find
>>>
>>>
>>> I have had this too, and we did not find a solution (search my recent
>>> posts on the archives). As a workaround I have created replicas and
>>> decommissioned the older replicas.
>>
>> On the one hand I'm glad this fixed it for you. On the other it is a
>> rather unsatisfying answer. Unfortunately NSS doesn't always provide
>> the most context with its error messages. This error is usually seen
>> when one tries to open a non-existent database, which in this case is
>> a very strange thing, especially since it goes from working to
>> non-working in the same apache process over a few minutes.
>>
>> I'm not sure how I'd troubleshoot this if it were easily reproducible.
>> I suspect we'd need to figure out which database cannot be found (most
>> likely /etc/httpd/alias) and go from there. An strace is a brute-force
>> way to see the file open but finding the right process to attach to is
>> a bit of an art.
>>
>> rob
>>
>> --
>> Manage your subscription for the Freeipa-users mailing list:
>> https://www.redhat.com/mailman/listinfo/freeipa-users
>> Go to http://freeipa.org for more info on the project
>
More information about the Freeipa-users
mailing list