On 25-10-18 20:46, Timo Aaltonen wrote: > On 25.10.2018 21.44, Rob Crittenden wrote: >> Kees Bakker wrote: >>> On 25-10-18 16:11, Rob Crittenden wrote: >>>> Kees Bakker via FreeIPA-users wrote: >>>>> On 25-10-18 14:18, Rob Crittenden wrote: >>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>> Could it be that this error already existed since we started? Notice >>>>>>> the Request ID of 2016..., and the expires: 2018-10-24. >>>>>>> >>>>>>> # getcert list -n ipaCert | sed blabla >>>>>>> Number of certificates and requests being tracked: 8. >>>>>>> Request ID '20161103094546': >>>>>>> status: CA_UNREACHABLE >>>>>>> ca-error: Error 77 connecting to >>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with >>>>>>> the SSL CA cert (path? access rights?). >>>>>>> stuck: no >>>>>>> key pair storage: >>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >>>>>>> certificate: >>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>> Certificate DB' >>>>>>> CA: dogtag-ipa-ca-renew-agent >>>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN >>>>>>> subject: CN=IPA RA,O=MYDOMAIN >>>>>>> expires: 2018-10-24 08:45:40 UTC >>>>>>> key usage: >>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >>>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >>>>>>> track: yes >>>>>>> auto-renew: yes >>>>>>> >>>>>>> In other words, is this the same issue as >>>>>>> https://pagure.io/freeipa/issue/7422 ? >>>>>> The problem is your certs expired yesterday so connections won't work >>>>>> (the code and message don't come from within certmonger). >>>>>> >>>>>> certmonger _should_ have renewed them. Try killing ntpd, going back a >>>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and >>>>>> see what happens. >>>>>> >>>>> Easy for you to say. You know what you're doing :-) >>>>> For me it's all magic. >>>>> >>>>> Anyway, I'll try it. I'm just scared to set the clock back, because there >>>>> may >>>>> be clients in the network that use this server as a NTP server. >>>>> >>>>> Another thing I want to mention is that the error started showing up two >>>>> days >>>>> ago, on Oct 22, while the expiration is today, Oct 24. >>>>> >>>> It shouldn't take more than a few minutes to roll back time, restart >>>> services and see what happens. I think your NTP clients will be able to >>>> recover ok if the server is not available for a few minutes. >>>> >>>> certmonger logs to syslog so you probably want to look at that to see if >>>> you can find a reason the certs weren't renewed automatically. >>>> >>> No, that didn't help. >>> And in the syslog there was nothing more than this. (I had to stop the >>> nameserver because it was spitting out lots of messages.) >>> >>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed >>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed >>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and PKI >>> enrollment... >>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and PKI >>> enrollment. >>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and PKI >>> enrollment... >>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and PKI >>> enrollment. >>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] >>> Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profile >>> Review: Problem with the SSL CA cert (path? access rights?). >>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request >>> to dogtag-ipa-renew-agent >>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: >>> dogtag-ipa-renew-agent returned 3 >>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] >>> Error 77 connecting to >>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the >>> SSL CA cert (path? access rights?). >>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request >>> to dogtag-ipa-renew-agent >>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: >>> dogtag-ipa-renew-agent returned 3 >>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] >>> Error 77 connecting to https://ipasrv:8443/ca/agent/ca/profileReview: >>> Problem with the SSL CA cert (path? access rights?). >>> >> Ok, I think I know what is going on. This is Ubuntu which AFAIK still >> lacks nss-pem. That is probably why it can't connect to renew the certs. >> >> I don't know if there is a workaround. Timo, do you know? > Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've > never tested cert renewal though. >
Does that mean, I'm screwed? What options do I have? Live with it? Migrate to, say Centos? Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it will work)? Something else? -- Kees _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org