On 26-10-18 17:33, Timo Aaltonen wrote: > On 26.10.2018 18.30, Kees Bakker wrote: >> On 26-10-18 14:55, Timo Aaltonen wrote: >>> On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >>>> On 25-10-18 20:46, Timo Aaltonen wrote: >>>>> On 25.10.2018 21.44, Rob Crittenden wrote: >>>>>> Kees Bakker wrote: >>>>>>> On 25-10-18 16:11, Rob Crittenden wrote: >>>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>>> On 25-10-18 14:18, Rob Crittenden wrote: >>>>>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>>>>> Could it be that this error already existed since we started? Notice >>>>>>>>>>> the Request ID of 2016..., and the expires: 2018-10-24. >>>>>>>>>>> >>>>>>>>>>> # getcert list -n ipaCert | sed blabla >>>>>>>>>>> Number of certificates and requests being tracked: 8. >>>>>>>>>>> Request ID '20161103094546': >>>>>>>>>>> status: CA_UNREACHABLE >>>>>>>>>>> ca-error: Error 77 connecting to >>>>>>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem >>>>>>>>>>> with the SSL CA cert (path? access rights?). >>>>>>>>>>> stuck: no >>>>>>>>>>> key pair storage: >>>>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>>>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >>>>>>>>>>> certificate: >>>>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>>>> Certificate DB' >>>>>>>>>>> CA: dogtag-ipa-ca-renew-agent >>>>>>>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN >>>>>>>>>>> subject: CN=IPA RA,O=MYDOMAIN >>>>>>>>>>> expires: 2018-10-24 08:45:40 UTC >>>>>>>>>>> key usage: >>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >>>>>>>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >>>>>>>>>>> track: yes >>>>>>>>>>> auto-renew: yes >>>>>>>>>>> >>>>>>>>>>> In other words, is this the same issue as >>>>>>>>>>> https://pagure.io/freeipa/issue/7422 ? >>>>>>>>>> The problem is your certs expired yesterday so connections won't work >>>>>>>>>> (the code and message don't come from within certmonger). >>>>>>>>>> >>>>>>>>>> certmonger _should_ have renewed them. Try killing ntpd, going back a >>>>>>>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger >>>>>>>>>> and >>>>>>>>>> see what happens. >>>>>>>>>> >>>>>>>>> Easy for you to say. You know what you're doing :-) >>>>>>>>> For me it's all magic. >>>>>>>>> >>>>>>>>> Anyway, I'll try it. I'm just scared to set the clock back, because >>>>>>>>> there may >>>>>>>>> be clients in the network that use this server as a NTP server. >>>>>>>>> >>>>>>>>> Another thing I want to mention is that the error started showing up >>>>>>>>> two days >>>>>>>>> ago, on Oct 22, while the expiration is today, Oct 24. >>>>>>>>> >>>>>>>> It shouldn't take more than a few minutes to roll back time, restart >>>>>>>> services and see what happens. I think your NTP clients will be able to >>>>>>>> recover ok if the server is not available for a few minutes. >>>>>>>> >>>>>>>> certmonger logs to syslog so you probably want to look at that to see >>>>>>>> if >>>>>>>> you can find a reason the certs weren't renewed automatically. >>>>>>>> >>>>>>> No, that didn't help. >>>>>>> And in the syslog there was nothing more than this. (I had to stop the >>>>>>> nameserver because it was spitting out lots of messages.) >>>>>>> >>>>>>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed >>>>>>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed >>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and >>>>>>> PKI enrollment... >>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and >>>>>>> PKI enrollment. >>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and >>>>>>> PKI enrollment... >>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and >>>>>>> PKI enrollment. >>>>>>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] >>>>>>> Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profile >>>>>>> Review: Problem with the SSL CA cert (path? access rights?). >>>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>>>> request to dogtag-ipa-renew-agent >>>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>>>> dogtag-ipa-renew-agent returned 3 >>>>>>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] >>>>>>> Error 77 connecting to >>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with >>>>>>> the SSL CA cert (path? access rights?). >>>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>>>> request to dogtag-ipa-renew-agent >>>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>>>> dogtag-ipa-renew-agent returned 3 >>>>>>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] >>>>>>> Error 77 connecting to https://ipasrv:8443/ca/agent/ca/profileReview: >>>>>>> Problem with the SSL CA cert (path? access rights?). >>>>>>> >>>>>> Ok, I think I know what is going on. This is Ubuntu which AFAIK still >>>>>> lacks nss-pem. That is probably why it can't connect to renew the certs. >>>>>> >>>>>> I don't know if there is a workaround. Timo, do you know? >>>>> Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've >>>>> never tested cert renewal though. >>>>> >>>> Does that mean, I'm screwed? What options do I have? >>>> Live with it? >>>> Migrate to, say Centos? >>>> Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it >>>> will work)? >>>> Something else? >>> Stock 18.04 has other issues, there's an updated version on >>> ppa:freeipa/staging which is backported from 18.10 and should be fine >>> and hopefully provided as a stable update on 18.04 later on. >>> >>> But you could try pulling libnsspem from 18.04, and *then* roll back time? >>> >> I'm on Ubuntu 16.04. The PPA has no packages for xenial. >> Err:5 http://ppa.launchpad.net/freeipa/staging/ubuntu xenial Release >> >> 404 Not Found > That's why I said "from 18.04" >
Ah, OK _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org