Hi, what is the full output of *ipa-cert-fix -v* (verbose)? The command internally calls "*pki-server cert-fix*", and you will be able to find the exact arguments list provided in the logs. Retry the same "pki-server cert-fix" command with -v option and we will get more information about what is going wrong.
flo On Wed, Sep 15, 2021 at 2:29 PM Marc Boorshtein < marc.boorsht...@tremolosecurity.com> wrote: > >> >> It seems that 2 different repair procedures were mixed: go back in time >> and use ipa-cert-fix. With ipa-cert-fix you don't need to change the >> current time. In order to fix the issue, we need to have the full picture: >> - what is the full output of getcert list (please include the "current" >> date on the system for us to know which certs are considered still valid) >> - which node is the renewal master (ipa config-show | grep "IPA CA >> renewal master") >> > > Yes, I had to turn back the clock because the directory server wouldn't > start causing ipa-cert-fix to not work. Here's the fulloutput: > > [root@freeipa ~]# getcert list > Number of certificates and requests being tracked: 9. > Request ID '20180504194716': > status: MONITORING > stuck: no > key pair storage: type=FILE,location='/var/kerberos/krb5kdc/kdc.key' > certificate: type=FILE,location='/var/kerberos/krb5kdc/kdc.crt' > CA: SelfSign > issuer: CN=freeipa.rhelent.lan,O=RHELENT.LAN > subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > expires: 2022-02-11 18:03:36 UTC > principal name: krbtgt/rhelent....@rhelent.lan > certificate template/profile: KDCs_PKINIT_Certs > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/renew_kdc_cert > track: yes > auto-renew: yes > Request ID '20210601131816': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=CA Audit,O=RHELENT.LAN > expires: 2023-05-01 18:06:01 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210601131818': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=OCSP Subsystem,O=RHELENT.LAN > expires: 2023-05-01 18:04:04 UTC > eku: id-kp-OCSPSigning > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210601131820': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=CA Subsystem,O=RHELENT.LAN > expires: 2023-05-01 18:04:11 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210601131821': > status: MONITORING > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=Certificate Authority,O=RHELENT.LAN > expires: 2035-09-03 19:24:04 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210601131823': > status: NEED_TO_SUBMIT > ca-error: Error 7 connecting to > http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > stuck: no > key pair storage: type=FILE,location='/var/lib/ipa/ra-agent.key' > certificate: type=FILE,location='/var/lib/ipa/ra-agent.pem' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=IPA RA,O=RHELENT.LAN > expires: 2021-06-08 16:52:45 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/libexec/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20210601131824': > status: NEED_TO_SUBMIT > ca-error: Error 7 connecting to > http://freeipa.rhelent.lan:8080/ca/ee/ca/profileSubmit: Couldn't connect > to server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > expires: 2021-06-08 16:53:15 UTC > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/libexec/ipa/certmonger/stop_pkicad > post-save command: /usr/libexec/ipa/certmonger/renew_ca_cert "Server-Cert > cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20210601131827': > status: NEED_TO_SUBMIT > ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, > will retry: -504 (libcurl failed to execute the HTTP POST transaction, > explaining: Peer's Certificate has expired.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-RHELENT-LAN/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-RHELENT-LAN',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > expires: 2021-07-11 16:52:10 UTC > principal name: ldap/freeipa.rhelent....@rhelent.lan > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv RHELENT-LAN > track: yes > auto-renew: yes > Request ID '20210601131835': > status: NEED_TO_SUBMIT > ca-error: Server at https://freeipa.rhelent.lan/ipa/xml failed request, > will retry: -504 (libcurl failed to execute the HTTP POST transaction, > explaining: Peer's Certificate has expired.). > stuck: no > key pair storage: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=RHELENT.LAN > subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > expires: 2021-07-12 16:52:09 UTC > principal name: HTTP/freeipa.rhelent....@rhelent.lan > key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/libexec/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > > There's only one node > > >> >> The request ID for "Server-Cert cert-pki-ca" (as displayed by getcert >> list) is 20210601131824, meaning that the corresponding request file can be >> found with >> # grep -l "id=20210601131824" /var/lib/certmonger/requests/* >> > > Ah, found it. It was in a different file then I expected. Thank you. I > moved that CSR into /etc/pki/pki-tomcat/ca/CS.cfg but still no luck (with > the current date): > > # ipa-cert-fix > > WARNING > > ipa-cert-fix is intended for recovery when expired certificates > prevent the normal operation of IPA. It should ONLY be used > in such scenarios, and backup of the system, especially certificates > and keys, is STRONGLY RECOMMENDED. > > > The following certificates will be renewed: > > Dogtag sslserver certificate: > Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > Serial: 23 > Expires: 2021-06-08 16:53:15 > > IPA IPA RA certificate: > Subject: CN=IPA RA,O=RHELENT.LAN > Serial: 21 > Expires: 2021-06-08 16:52:45 > > IPA Apache HTTPS certificate: > Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > Serial: 26 > Expires: 2021-07-12 16:52:09 > > IPA LDAP certificate: > Subject: CN=freeipa.rhelent.lan,O=RHELENT.LAN > Serial: 25 > Expires: 2021-07-11 16:52:10 > > Enter "yes" to proceed: yes > Proceeding. > [Errno 2] No such file or directory: > '/etc/pki/pki-tomcat/certs/sslserver.crt' > The ipa-cert-fix command failed. > > > Thanks > Marc >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure