[Freeipa-users] Re: Correcting errors in the CA master certificate

[Rob Crittenden via FreeIPA-users]

Scott Stevson via FreeIPA-users wrote:
> Hey Rob,
> 
> It's the NSSDB cert.  Here's some console output that might be helpful.
> 
> PROD [root@server-ns-1 var]# getcert list | grep -A10 20150827000358
> Request ID '20150827000358':
>       status: MONITORING
>       ca-error: Server at 
> "http://server-ns-1.our.domain.local:9180/ca/ee/ca/profileSubmit"; replied: 1: 
> Server Internal Error
>       stuck: no
>       key pair storage: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>       certificate: 
> type=NSSDB,location='/etc/httpd/alias',nickname='ipaCert',token='NSS 
> Certificate DB'
>       CA: dogtag-ipa-renew-agent
>       issuer: CN=Certificate Authority,O=COMPANY.LOCAL
>       subject: CN=IPA RA,O=COMPANY.LOCAL
>       expires: 2017-08-15 20:17:52 UTC
>       key usage: 
> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
> 
> As for how this happened:  We're not entirely sure yet but the working theory 
> is the SRE who provisioned the new CA master didn't fully remove all 
> references to the old one.  I need to track down a few more people and 
> details in order to answer this fully.
> 
> As for the CA debug log.  I don't see any references to failures per se, and 
> I'm wondering if there's something I can do to force an error that'll be 
> useful to you.  Again, the failure I referenced earlier is a our Nagios check 
> for certmonger that simply reacts to the output `getcert list` returns.  
> Versions of this are all I see in the debug logs.
> 
> [08/Aug/2017:15:39:31][TP-Processor9]: CMSServlet: curDate=Tue Aug 08 
> 15:39:31 UTC 2017 id=caProfileSubmitSSLClient time=62

certmonger doesn't use SRV records to lookup an IPA master. Update the
xmlrpc_server entry in /etc/ipa/default.conf to point to a working IPA
server and that should fix this for you after a certmonger restart.

There is a bug open on this we just haven't gotten to it yet.

rob
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org