On 25-10-18 16:11, Rob Crittenden wrote: > Kees Bakker via FreeIPA-users wrote: >> On 25-10-18 14:18, Rob Crittenden wrote: >>> Kees Bakker via FreeIPA-users wrote: >>>> Could it be that this error already existed since we started? Notice >>>> the Request ID of 2016..., and the expires: 2018-10-24. >>>> >>>> # getcert list -n ipaCert | sed blabla >>>> Number of certificates and requests being tracked: 8. >>>> Request ID '20161103094546': >>>> status: CA_UNREACHABLE >>>> ca-error: Error 77 connecting to >>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the >>>> SSL CA cert (path? access rights?). >>>> stuck: no >>>> key pair storage: >>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >>>> certificate: >>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>> Certificate DB' >>>> CA: dogtag-ipa-ca-renew-agent >>>> issuer: CN=Certificate Authority,O=MYDOMAIN >>>> subject: CN=IPA RA,O=MYDOMAIN >>>> expires: 2018-10-24 08:45:40 UTC >>>> key usage: >>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >>>> track: yes >>>> auto-renew: yes >>>> >>>> In other words, is this the same issue as >>>> https://pagure.io/freeipa/issue/7422 ? >>> The problem is your certs expired yesterday so connections won't work >>> (the code and message don't come from within certmonger). >>> >>> certmonger _should_ have renewed them. Try killing ntpd, going back a >>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and >>> see what happens. >>> >> Easy for you to say. You know what you're doing :-) >> For me it's all magic. >> >> Anyway, I'll try it. I'm just scared to set the clock back, because there may >> be clients in the network that use this server as a NTP server. >> >> Another thing I want to mention is that the error started showing up two days >> ago, on Oct 22, while the expiration is today, Oct 24. >> > It shouldn't take more than a few minutes to roll back time, restart > services and see what happens. I think your NTP clients will be able to > recover ok if the server is not available for a few minutes. > > certmonger logs to syslog so you probably want to look at that to see if > you can find a reason the certs weren't renewed automatically. >
No, that didn't help. And in the syslog there was nothing more than this. (I had to stop the nameserver because it was spitting out lots of messages.) Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and PKI enrollment... Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and PKI enrollment. Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and PKI enrollment... Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and PKI enrollment. Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profile Review: Problem with the SSL CA cert (path? access rights?). Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] Error 77 connecting to https://ipasrv:8443/ca/agent/ca/profileReview: Problem with the SSL CA cert (path? access rights?). _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org