<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I rolled the date on the IPA server in question back to April 1 and
ran "ipa-cacert-manage renew", which said it completed successfully.
I rolled the date back to current and tried restarting ipa using
ipactl stop && ipactl start, but no joy. No more ca renewal
errors, but right after the pause I see this in /var/log/messages:<br>
<br>
<font face="Courier New, Courier, monospace">systemd:
kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT<br>
systemd: Unit kadmin.service entered failed state.<br>
systemd: kadmin.service failed.<br>
</font><br>
I rebooted the server just in case, and it's still getting stuck at
the same place. ipa-otpd doesn't get around to starting.<br>
<br>
<br>
Bret<br>
<br>
After the several-minutes-long pause after ipactl start outputs
"Starting pki-tomcatd Service", I get the <br>
<br>
<div class="moz-cite-prefix">On 04/26/2016 08:14 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:571F5B99.4060607@damascusgrp.com" type="cite">
<meta http-equiv="content-type" content="text/html; charset=utf-8">
I have an IPA server on a private network which has apparently run
into certificate issues this morning. It's been running without
issue for quite a while, and is on 4.1.4-1 on fedora 21.<br>
<div class="moz-forward-container"> <br>
This morning, the gui started giving:<br>
<br>
<font face="Courier New, Courier, monospace">IPA Error 907:
NetworkError with description "cannot connect to '<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://zsipa.private.net:443/ca/agent/ca/displayBySerial"><a class="moz-txt-link-freetext" href="https://zsipa.private.net:443/ca/agent/ca/displayBySerial">https://zsipa.private.net:443/ca/agent/ca/displayBySerial</a></a>':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your
certificate as expired."</font><br>
<br>
I dug into the logs and after trying to restart ipa using
ipactl, there was a length pause, then:<br>
<br>
<font face="Courier New, Courier, monospace">dogtag-ipa-ca-renew-agent-submit:
Updated certificate not available<br>
certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" is no longer
valid.<br>
dogtag-ipa-ca-renew-agent-submit: Updated certificate not
available<br>
certmonger: Certificate named "ocspSigningCert cert-pki-ca" in
token "NSS Certificate DB" in database
"/etc/pki/pki-tomcat/alias" is no longer valid.<br>
dogtag-ipa-ca-renew-agent-submit: Updated certificate not
available.<br>
named-pkcs11[3437]: client 192.168.208.205#57832: update
'208.168.192.in-addr.arpa/IN' denied<br>
</font><br>
and then things start shutting down. I can't start ipa at all
using ipactl.<br>
<br>
So at present, our DNS is down. Authentication should work for a
while, but I'd like to get this working again as quickly as
possible. Any ideas? I deal with certificates so infrequently
(like only when something like this happens) that I'm not sure
where to start.<br>
<br>
Thanks!<br>
<br>
<br>
<div class="moz-signature">-- <br>
<div><b>Bret Wortman</b></div>
<div><i>Coming soon to Kickstarter...</i></div>
<div><a moz-do-not-send="true" href="http://wrapbuddies.co/"><img
src="cid:part2.05000804.03050406@damascusgrp.com"
height="88/" width="100"></a><br>
</div>
<div><a moz-do-not-send="true" href="http://wrapbuddies.co/">http://wrapbuddies.co/</a><br>
</div>
</div>
<br>
</div>
<br>
</blockquote>
<br>
</body>
</html>