<html>
<head>
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
</head>
<body text="#000000" bgcolor="#FFFFFF">
On our non-CA IPA server, this is happening, in case it's related
and illustrative:<br>
<br>
<font face="Courier New, Courier, monospace"># ipa host-del
zw113.private.net<br>
ipa: ERROR: Certificate format error: (SEC_ERROR_LEGACY_DATABASE)
The certificate/key database is in an old, unsupported format.<br>
#</font><br>
<br>
<div class="moz-cite-prefix">On 04/26/2016 09:24 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:571F6BF5.9060801@damascusgrp.com" type="cite">
<meta content="text/html; charset=utf-8" http-equiv="Content-Type">
I rolled the date on the IPA server in question back to April 1
and ran "ipa-cacert-manage renew", which said it completed
successfully. I rolled the date back to current and tried
restarting ipa using ipactl stop && ipactl start, but no
joy. No more ca renewal errors, but right after the pause I see
this in /var/log/messages:<br>
<br>
<font face="Courier New, Courier, monospace">systemd:
kadmin.service: main process exited, code=exited,
status=2/INVALIDARGUMENT<br>
systemd: Unit kadmin.service entered failed state.<br>
systemd: kadmin.service failed.<br>
</font><br>
I rebooted the server just in case, and it's still getting stuck
at the same place. ipa-otpd doesn't get around to starting.<br>
<br>
<br>
Bret<br>
<br>
After the several-minutes-long pause after ipactl start outputs
"Starting pki-tomcatd Service", I get the <br>
<br>
<div class="moz-cite-prefix">On 04/26/2016 08:14 AM, Bret Wortman
wrote:<br>
</div>
<blockquote cite="mid:571F5B99.4060607@damascusgrp.com"
type="cite">
<meta http-equiv="content-type" content="text/html;
charset=utf-8">
I have an IPA server on a private network which has apparently
run into certificate issues this morning. It's been running
without issue for quite a while, and is on 4.1.4-1 on fedora 21.<br>
<div class="moz-forward-container"> <br>
This morning, the gui started giving:<br>
<br>
<font face="Courier New, Courier, monospace">IPA Error 907:
NetworkError with description "cannot connect to '<a
moz-do-not-send="true" class="moz-txt-link-freetext"
href="https://zsipa.private.net:443/ca/agent/ca/displayBySerial"><a class="moz-txt-link-freetext" href="https://zsipa.private.net:443/ca/agent/ca/displayBySerial">https://zsipa.private.net:443/ca/agent/ca/displayBySerial</a></a>':
(SSL_ERROR_EXPIRED_CERRT_ALERT) SSL peer rejected your
certificate as expired."</font><br>
<br>
I dug into the logs and after trying to restart ipa using
ipactl, there was a length pause, then:<br>
<br>
<font face="Courier New, Courier, monospace">dogtag-ipa-ca-renew-agent-submit:
Updated certificate not available<br>
certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" is no longer
valid.<br>
dogtag-ipa-ca-renew-agent-submit: Updated certificate not
available<br>
certmonger: Certificate named "ocspSigningCert cert-pki-ca"
in token "NSS Certificate DB" in database
"/etc/pki/pki-tomcat/alias" is no longer valid.<br>
dogtag-ipa-ca-renew-agent-submit: Updated certificate not
available.<br>
named-pkcs11[3437]: client 192.168.208.205#57832: update
'208.168.192.in-addr.arpa/IN' denied<br>
</font><br>
and then things start shutting down. I can't start ipa at all
using ipactl.<br>
<br>
So at present, our DNS is down. Authentication should work for
a while, but I'd like to get this working again as quickly as
possible. Any ideas? I deal with certificates so infrequently
(like only when something like this happens) that I'm not sure
where to start.<br>
<br>
Thanks!<br>
<br>
<br>
<div class="moz-signature">-- <br>
<div><b>Bret Wortman</b></div>
<div><i>Coming soon to Kickstarter...</i></div>
<div><a moz-do-not-send="true" href="http://wrapbuddies.co/"><img
src="cid:part2.01080605.06090403@damascusgrp.com"
height="88/" width="100"></a><br>
</div>
<div><a moz-do-not-send="true" href="http://wrapbuddies.co/">http://wrapbuddies.co/</a><br>
</div>
</div>
<br>
</div>
<br>
</blockquote>
<br>
</blockquote>
<br>
</body>
</html>