[Freeipa-users] Re: ipa.service "fails" to start

[Florence Blanc-Renaud via FreeIPA-users]

On 10/23/18 5:24 AM, None via FreeIPA-users wrote:
Hi Flo, the journalctl reports that request is rejected, error 2.
  dogtag-ipa-ca-renew-agent-submit[29544]: Forwarding request to 
dogtag-ipa-renew-agent
  dogtag-ipa-renew-agent-submit[29558]: GET 
http://ca-ldap01.:8080/ca/ee/ca/profileSubmit?profil
  dogtag-ipa-renew-agent-submit[29558]: <html><head><title>Apache Tomcat/7.0.69 - Error 
report</title><style>
  dogtag-ipa-ca-renew-agent-submit[29544]: dogtag-ipa-renew-agent returned 2


Hi,

PKI debug log may contain more information explaining why the request 
was rejected (/var/log/pki/pki-tomcat/ca/debug). You can also increase 
the debug level to get more information: edit (or create) 
/etc/ipa/server.conf and add the following:
[global]
debug=True

Then modify the certmonger helper that is used to renew the PKI 
certificates to increase verbosity:
$ getcert modify-ca -c dogtag-ipa-ca-renew-agent -e 
'/usr/libexec/certmonger/dogtag-ipa-ca-renew-agent-submit -vv'

(this simply adds -vv to the command executed by certmonger to renew the 
cert). The helper will log information in /var/log/ipa/renew.log.

HTH,
flo

I can't find a common date where all the certificates are valid, since 
""ocspSigningCert cert-pki-ca" is not valid before today.

# certutil -L -d /etc/pki/pki-tomcat/alias -n "auditSigningCert cert-pki-ca" | egrep 
"Not Before|After"
             Not Before: Wed Aug 24 20:49:38 2016
             Not After : Tue Aug 14 20:49:38 2018

# certutil -L -d /etc/pki/pki-tomcat/alias -n "ocspSigningCert cert-pki-ca" | egrep 
"Not Before|After"
             Not Before: Mon Oct 22 20:15:53 2018
             Not After : Sun Oct 11 20:15:53 2020

# certutil -L -d /etc/pki/pki-tomcat/alias -n "subsystemCert cert-pki-ca" | egrep 
"Not Before|After"
             Not Before: Wed Aug 24 20:49:36 2016
             Not After : Tue Aug 14 20:49:36 2018

# certutil -L -d /etc/pki/pki-tomcat/alias -n "caSigningCert cert-pki-ca" | egrep 
"Not Before|After"
             Not Before: Mon Oct 22 18:15:48 2018
             Not After : Fri Oct 22 18:15:48 2038

# certutil -L -d /etc/httpd/alias -n "ipaCert" | egrep "Not Before|After"
             Not Before: Wed Aug 24 20:50:00 2016
             Not After : Tue Aug 14 20:50:00 2018

# certutil -L -d /etc/pki/pki-tomcat/alias -n "Server-Cert cert-pki-ca" | egrep "Not 
Before|After"
             Not Before: Wed Jul 18 01:47:45 2018
             Not After : Tue Jul 07 01:47:45 2020


_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org

_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org