On 26-10-18 14:55, Timo Aaltonen wrote: > On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >> On 25-10-18 20:46, Timo Aaltonen wrote: >>> On 25.10.2018 21.44, Rob Crittenden wrote: >>>> Kees Bakker wrote: >>>>> On 25-10-18 16:11, Rob Crittenden wrote: >>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>> On 25-10-18 14:18, Rob Crittenden wrote: >>>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>>> Could it be that this error already existed since we started? Notice >>>>>>>>> the Request ID of 2016..., and the expires: 2018-10-24. >>>>>>>>> >>>>>>>>> # getcert list -n ipaCert | sed blabla >>>>>>>>> Number of certificates and requests being tracked: 8. >>>>>>>>> Request ID '20161103094546': >>>>>>>>> status: CA_UNREACHABLE >>>>>>>>> ca-error: Error 77 connecting to >>>>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with >>>>>>>>> the SSL CA cert (path? access rights?). >>>>>>>>> stuck: no >>>>>>>>> key pair storage: >>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >>>>>>>>> certificate: >>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>> Certificate DB' >>>>>>>>> CA: dogtag-ipa-ca-renew-agent >>>>>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN >>>>>>>>> subject: CN=IPA RA,O=MYDOMAIN >>>>>>>>> expires: 2018-10-24 08:45:40 UTC >>>>>>>>> key usage: >>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >>>>>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >>>>>>>>> track: yes >>>>>>>>> auto-renew: yes >>>>>>>>> >>>>>>>>> In other words, is this the same issue as >>>>>>>>> https://pagure.io/freeipa/issue/7422 ? >>>>>>>> The problem is your certs expired yesterday so connections won't work >>>>>>>> (the code and message don't come from within certmonger). >>>>>>>> >>>>>>>> certmonger _should_ have renewed them. Try killing ntpd, going back a >>>>>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger and >>>>>>>> see what happens. >>>>>>>> >>>>>>> Easy for you to say. You know what you're doing :-) >>>>>>> For me it's all magic. >>>>>>> >>>>>>> Anyway, I'll try it. I'm just scared to set the clock back, because >>>>>>> there may >>>>>>> be clients in the network that use this server as a NTP server. >>>>>>> >>>>>>> Another thing I want to mention is that the error started showing up >>>>>>> two days >>>>>>> ago, on Oct 22, while the expiration is today, Oct 24. >>>>>>> >>>>>> It shouldn't take more than a few minutes to roll back time, restart >>>>>> services and see what happens. I think your NTP clients will be able to >>>>>> recover ok if the server is not available for a few minutes. >>>>>> >>>>>> certmonger logs to syslog so you probably want to look at that to see if >>>>>> you can find a reason the certs weren't renewed automatically. >>>>>> >>>>> No, that didn't help. >>>>> And in the syslog there was nothing more than this. (I had to stop the >>>>> nameserver because it was spitting out lots of messages.) >>>>> >>>>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed >>>>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed >>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and >>>>> PKI enrollment... >>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and PKI >>>>> enrollment. >>>>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and >>>>> PKI enrollment... >>>>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and PKI >>>>> enrollment. >>>>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] >>>>> Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profile >>>>> Review: Problem with the SSL CA cert (path? access rights?). >>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>> request to dogtag-ipa-renew-agent >>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>> dogtag-ipa-renew-agent returned 3 >>>>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] >>>>> Error 77 connecting to >>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the >>>>> SSL CA cert (path? access rights?). >>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>> request to dogtag-ipa-renew-agent >>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>> dogtag-ipa-renew-agent returned 3 >>>>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] >>>>> Error 77 connecting to https://ipasrv:8443/ca/agent/ca/profileReview: >>>>> Problem with the SSL CA cert (path? access rights?). >>>>> >>>> Ok, I think I know what is going on. This is Ubuntu which AFAIK still >>>> lacks nss-pem. That is probably why it can't connect to renew the certs. >>>> >>>> I don't know if there is a workaround. Timo, do you know? >>> Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've >>> never tested cert renewal though. >>> >> Does that mean, I'm screwed? What options do I have? >> Live with it? >> Migrate to, say Centos? >> Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it will >> work)? >> Something else? > Stock 18.04 has other issues, there's an updated version on > ppa:freeipa/staging which is backported from 18.10 and should be fine > and hopefully provided as a stable update on 18.04 later on. > > But you could try pulling libnsspem from 18.04, and *then* roll back time? >
I installed libnsspem_1.0.3-0ubuntu2_amd64.deb Then I stopped ntp (and bind). Set the time back to Oct 11 Restarted krb5-kdc, dirsrv@MYDOMAIN, apache2, pki-tomcatd, certmonger (in that order). Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request to dogtag-ipa-renew-agent Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: dogtag-ipa-renew-agent returned 3 Oct 11 06:08:03 ipasrv certmonger[168327]: 2018-10-11 06:08:03 [168327] Error 60 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. Oct 11 06:08:12 ipasrv certmonger[168327]: 2018-10-11 06:08:12 [168327] Error 60 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer certificate cannot be authenticated with given CA certificates. :-( Rob said also to restart CA. "restart krb5kdc, dirsrv, httpd and the CA then certmonger" I don't know which service that is. Does that matter? -- Kees _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org