[Freeipa-users] Freeipa web UI: An error has occurred (IPA Error 4302: CertificateFormatError)
Andrew Krause
andrew.krause at breakthroughfuel.com
Thu Apr 20 17:47:52 UTC 2017
Sorry for the self bump but no one has any insight on this?
> On Apr 17, 2017, at 11:31 AM, Andrew Krause <andrew.krause at breakthroughfuel.com> wrote:
>
> Many hosts in our web ui show a null status for “enrolled”. When you do a search that includes any of these host objects the web UI posts errors, and if you click on one of the problem hosts the same error stops anything from loading on the host page.
>
> I’ve been trying to solve this problem on my own for quite some time and have not been successful. It’s impossible to remove the host through the web UI and using CLI commands seem to remove the entry from IPA (host is not found with ipa host-find), but it is still visible in the UI. One thing that may be common with all of these hosts is that they were enrolled with our IPA system back while we were running version 3.0 and likely have had issues for quite some time. Multiple updates have happened since then, and all of our hosts added within the last year are working fine. I suspect there’s an issue with a path somewhere for a certificate database, but I’m unable to pinpoint what is going wrong.
>
>
> I’m currently cloning 2 of my IPA servers into a private dmz to test fixes so I can try things without worry...
>
> 1. Realized we had many certificates that were expired and not renewing with “getcert list” on primary IPA server
> 2. Tried every document I could find on renewing the certificates but was never completely successful (on version 4.1 which is our current in production)
> 3. Upgraded to 4.4 and was actually able to renew all certificates listed on the main IPA server showing current below
> 4. After having success with #3 I was able to start the CA service without error and everything on the server seems to be working as expected
> 5. Have attempted many variations of removing a problem host and adding it back, but the errors in the web UI persist.
>
> Output from "getcert list":
>
> Number of certificates and requests being tracked: 8.
> Request ID '20160901214852':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=CA Audit,O=DOMAIN.COM
> expires: 2018-08-22 22:13:44 UTC
> key usage: digitalSignature,nonRepudiation
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "auditSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160901214853':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=OCSP Subsystem,O=DOMAIN.COM
> expires: 2018-08-22 21:49:26 UTC
> eku: id-kp-OCSPSigning
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "ocspSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160901214854':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=CA Subsystem,O=DOMAIN.COM
> expires: 2018-08-22 21:49:18 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "subsystemCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160901214855':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=Certificate Authority,O=DOMAIN.COM
> expires: 2036-09-01 05:05:00 UTC
> key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "caSigningCert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160901214856':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS Certificate DB'
> CA: dogtag-ipa-ca-renew-agent
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=IPA RA,O=DOMAIN.COM
> expires: 2018-08-22 22:15:36 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre
> post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert
> track: yes
> auto-renew: yes
> Request ID '20160901214857':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
> certificate: type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
> CA: dogtag-ipa-renew-agent
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=hostname07.domain.com,O=DOMAIN.COM
> expires: 2018-07-31 23:31:17 UTC
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad
> post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert cert-pki-ca"
> track: yes
> auto-renew: yes
> Request ID '20160901214858':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-DOMAIN-COM/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-DOMAIN-COM',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=hostname07.domain.com,O=DOMAIN.COM
> expires: 2018-08-22 23:31:28 UTC
> principal name: ldap/hostname07.domain.com at DOMAIN.COM
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv DOMAIN-COM
> track: yes
> auto-renew: yes
> Request ID '20160901214859':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=DOMAIN.COM
> subject: CN=hostname07.domain.com,O=DOMAIN.COM
> expires: 2018-08-22 23:31:19 UTC
> principal name: HTTP/hostname07.domain.com at DOMAIN.COM
> key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> eku: id-kp-serverAuth,id-kp-clientAuth
> pre-save command:
> post-save command: /usr/libexec/ipa/certmonger/restart_httpd
> track: yes
> auto-renew: yes
>
>
>
>
> Output for "certutil -L -d /var/lib/pki/pki-tomcat/alias/"
>
> Certificate Nickname Trust Attributes
> SSL,S/MIME,JAR/XPI
>
> Server-Cert cert-pki-ca u,u,u
> Certificate Authority - DOMAIN.COM CTu,cu,u
> subsystemCert cert-pki-ca u,u,u
> auditSigningCert cert-pki-ca u,u,Pu
> caSigningCert cert-pki-ca u,u,u
> ocspSigningCert cert-pki-ca u,u,u
>
>
>
>
> Output for latest selftests.log for pki-tomcatd:
>
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Initializing self test plugins:
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin logger parameters
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin instances
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading all self test plugin instance parameters
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading self test plugins in on-demand order
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: loading self test plugins in startup order
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Self test plugins have been successfully loaded!
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: Running self test plugins specified to be executed at startup:
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] CAPresence: CA is present
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SystemCertsVerification: system certs verification success
> 0.localhost-startStop-1 - [17/Apr/2017:10:11:53 CDT] [20] [1] SelfTestSubsystem: All CRITICAL self test plugins ran SUCCESSFULLY at startup!
>
>
>
> Any assistance would be greatly appreciated.
>
> Andrew Krause
>
> --
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project
More information about the Freeipa-users
mailing list