[Freeipa-users] ACME certs fail to renew

Thu, 28 Mar 2024 03:39:09 -0700 

Hello,

I have a strange issue regarding acme service.
My acme certificates fail to renew. `ipa-acme-manage status`fails with error: 
Failed to authenticate to CA REST API
The ipa-acme-manage command failed.
certbot client fails with error "Failed to renew certificate office.empire.lan with error: <Response [404]>" 

$ ipa cert-show 49
 Issuing CA: ipa
 Certificate: "The certificate content"
 Subject: CN=office.empire.lan
 Subject DNS name: office.empire.lan
 Issuer: CN=Certificate Authority,O=EMPIRE.LAN
 Not Before: Sun Dec 24 14:05:50 2023 UTC
 Not After: Sat Mar 23 14:05:50 2024 UTC
 Serial number: 49
 Serial number (hex): 0x31
 Revoked: False
So last successful renewal was on Dec 24th. Since then I have not really done anything appart updating. 
I don't see any issue in ipaupgrade.log


I am running on centos stream 9
idm-jss.x86_64 5.5.0-1.el9
idm-jss-tomcat.x86_64 5.5.0-1.el9
idm-ldapjdk.noarch 5.5.0-1.el9
idm-pki-acme.noarch 11.5.0-1.el9
idm-pki-base.noarch 11.5.0-1.el9
idm-pki-ca.noarch 11.5.0-1.el9
idm-pki-java.noarch 11.5.0-1.el9
idm-pki-kra.noarch 11.5.0-1.el9
idm-pki-server.noarch 11.5.0-1.el9
idm-pki-tools.x86_64 11.5.0-1.el9
ipa-client.x86_64 4.11.0-9.el9
ipa-client-common.noarch 4.11.0-9.el9
ipa-common.noarch 4.11.0-9.el9
ipa-healthcheck.noarch 0.16-2.el9
ipa-healthcheck-core.noarch 0.16-2.el9
ipa-selinux.noarch 4.11.0-9.el9
ipa-server.x86_64 4.11.0-9.el9
ipa-server-common.noarch 4.11.0-9.el9
ipa-server-dns.noarch 4.11.0-9.el9

I have followed closely the update on centos stream 9

Running  `ipa-acme-manage status` with the -d switch gives me
ipapython.ipaldap: DEBUG: retrieving schema for SchemaCache url=ldapi://%2fvar%2frun%2fslapd-EMPIRE-LAN.socket conn=<ldap.ldapobject.SimpleLDAPObject object at 0x7f123c07e2e0> ipaserver.masters: DEBUG: Discovery: available servers for service 'CA' are ipa-server-01.empire.lan, ipa-server-02.empire.lan ipaserver.masters: DEBUG: Discovery: using ipa-server-01.empire.lan for 'CA' service ipapython.dogtag: DEBUG: request POST https://ipa-server-01.empire.lan:8443/acme/login 
ipapython.dogtag: DEBUG: request body ''
ipapython.dogtag: DEBUG: response status 404
ipapython.dogtag: DEBUG: response headers Content-Type: text/html;charset=utf-8 
Content-Language: en
Content-Length: 765
Date: Thu, 28 Mar 2024 10:00:59 GMT
ipapython.dogtag: DEBUG: response body (decoded): b'<!doctype html><html lang="en"><head><title>HTTP Status 404 \xe2\x80\x93 Not Found</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 404 \xe2\x80\x93 Not Found</h1><hr class="line" /><p><b>Type</b> Status Report</p><p><b>Message</b> The requested resource [&#47;acme&#47;login] is not available</p><p><b>Description</b> The origin server did not find a current representation for the target resource or is not willing to disclose that one exists.</p><hr class="line" /><h3>Apache Tomcat/9.0.62</h3></body></html>' ipapython.admintool: DEBUG:   File "/usr/lib/python3.9/site-packages/ipapython/admintool.py", line 180, in execute 
    return_value = self.run()
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py", line 403, in run 
    with state as ca_api:
  File "/usr/lib/python3.9/site-packages/ipaserver/install/ipa_acme_manage.py", line 103, in __enter__ 
    raise errors.RemoteRetrieveError(
ipapython.admintool: DEBUG: The ipa-acme-manage command failed, exception: RemoteRetrieveError: Failed to authenticate to CA REST API 
ipapython.admintool: ERROR: Failed to authenticate to CA REST API
ipapython.admintool: ERROR: The ipa-acme-manage command failed.
So it looks like the acme subsystem is not started. But logs for the acme subsystem in /var/log/pki/pki-tomcat/acme/debug.2024-03-28.log don't show any issue. (see attached log) 

How can I go further in troubleshooting/fixing this issue?

Thanks

2024-03-28 11:06:12 [main] INFO: Starting ACME engine
2024-03-28 11:06:12 [main] INFO: ACME configuration directory: 
/var/lib/pki/pki-tomcat/conf/acme
2024-03-28 11:06:12 [main] INFO: Loading ACME engine config from 
/var/lib/pki/pki-tomcat/conf/acme/engine.conf
2024-03-28 11:06:12 [main] INFO: - enabled: false
2024-03-28 11:06:12 [main] INFO: - base URL: 
https://ipa-server-01.empire.lan/acme
2024-03-28 11:06:12 [main] INFO: - nonces persistent: null
2024-03-28 11:06:12 [main] INFO: - wildcard: false
2024-03-28 11:06:12 [main] INFO: - nonce retention: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO: - authorization retention:
2024-03-28 11:06:12 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO: - order retention:
2024-03-28 11:06:12 [main] INFO:   - pending: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO:   - invalid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO:   - ready: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO:   - processing: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO:   - valid: {
  "length" : 30,
  "unit" : "MINUTES"
}
2024-03-28 11:06:12 [main] INFO: - certificate retention: {
  "length" : 30,
  "unit" : "DAYS"
}
2024-03-28 11:06:12 [main] INFO: Loading ACME metadata from 
/usr/share/pki/acme/conf/metadata.conf
2024-03-28 11:06:12 [main] INFO: Loading ACME database config from 
/var/lib/pki/pki-tomcat/conf/acme/database.conf
2024-03-28 11:06:12 [main] INFO: Initializing ACME database
2024-03-28 11:06:12 [main] INFO: Loading LDAP database configuration from 
/etc/pki/pki-tomcat/ca/CS.cfg
2024-03-28 11:06:12 [main] WARNING: The basedn parameter has been deprecated. 
Use baseDN instead.
2024-03-28 11:06:12 [main] INFO: - base DN: ou=acme,o=ipaca
2024-03-28 11:06:12 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-03-28 11:06:12 [main] INFO: PKISocketFactory: Creating SSL socket for 
ipa-server-01.empire.lan:636
2024-03-28 11:06:13 [main] INFO: - monitor enabled: null
2024-03-28 11:06:13 [main] INFO: Loading ACME validators config from 
/usr/share/pki/acme/conf/validators.conf
2024-03-28 11:06:13 [main] INFO: Initializing ACME validators
2024-03-28 11:06:13 [main] INFO: Initializing dns-01 validator
2024-03-28 11:06:13 [main] INFO: Initializing http-01 validator
2024-03-28 11:06:13 [main] INFO: Loading ACME issuer config from 
/var/lib/pki/pki-tomcat/conf/acme/issuer.conf
2024-03-28 11:06:13 [main] INFO: Initializing ACME issuer
2024-03-28 11:06:13 [main] INFO: Initializing PKI issuer
2024-03-28 11:06:13 [main] INFO: - URL: https://ipa-server-01.empire.lan:8443
2024-03-28 11:06:13 [main] INFO: - username: acme-ipa-server-01.empire.lan
2024-03-28 11:06:13 [main] INFO: - profile: acmeIPAServerCert
2024-03-28 11:06:13 [main] INFO: Loading ACME scheduler config from 
/usr/share/pki/acme/conf/scheduler.conf
2024-03-28 11:06:13 [main] INFO: Initializing ACME scheduler
2024-03-28 11:06:13 [main] INFO: Initializing ACME scheduler
2024-03-28 11:06:13 [main] INFO: - threads: 1
2024-03-28 11:06:13 [main] INFO: Initializing maintenance task
2024-03-28 11:06:13 [main] INFO: - initial delay: 5
2024-03-28 11:06:13 [main] INFO: - delay: 5
2024-03-28 11:06:13 [main] INFO: - interval: null
2024-03-28 11:06:13 [main] INFO: - unit: MINUTES
2024-03-28 11:06:13 [main] INFO: Loading ACME monitors config from 
/var/lib/pki/pki-tomcat/conf/acme/configsources.conf
2024-03-28 11:06:13 [main] INFO: ACME service is DISABLED by configuration
2024-03-28 11:06:13 [main] INFO: ACME wildcard issuance is DISABLED by 
configuration
2024-03-28 11:06:13 [main] INFO: Loading ACME realm config from 
/var/lib/pki/pki-tomcat/conf/acme/realm.conf
2024-03-28 11:06:13 [main] INFO: Initializing ACME realm
2024-03-28 11:06:13 [ACMEEngineConfigFileSource] INFO: ACMEEngineConfigSource: 
watching /etc/pki/pki-tomcat/acme/engine.conf
2024-03-28 11:06:13 [main] INFO: Initializing LDAP realm
2024-03-28 11:06:13 [main] INFO: Loading LDAP realm config from 
/etc/pki/pki-tomcat/ca/CS.cfg
2024-03-28 11:06:13 [main] INFO: - users DN: ou=people,o=ipaca
2024-03-28 11:06:13 [main] INFO: - groups DN: ou=groups,o=ipaca
2024-03-28 11:06:13 [main] INFO: PKISocketFactory: Initializing PKISocketFactory
2024-03-28 11:06:13 [main] INFO: PKISocketFactory: Creating SSL socket for 
ipa-server-01.empire.lan:636
2024-03-28 11:06:13 [main] INFO: ACME engine started
2024-03-28 11:06:13 [main] INFO: Initializing ACMEApplication

[
  {
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "9c4b25d0-99a2-4423-b019-1ce6cc9aebe1",
    "when": "20240328103638Z",
    "duration": "0.372848",
    "kw": {
      "key": "caSigningCert cert-pki-ca",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "msg": "Certificate ca.signing.cert not found in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
    }
  },
  {
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "f6f96aff-5cab-42cc-8146-8a977e414ff7",
    "when": "20240328103638Z",
    "duration": "0.374131",
    "kw": {
      "key": "ocspSigningCert cert-pki-ca",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "msg": "Certificate ca.ocsp_signing.cert not found in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
    }
  },
  {
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "8cdcba80-6186-4575-8a5f-e7cd50baadda",
    "when": "20240328103638Z",
    "duration": "0.374991",
    "kw": {
      "key": "subsystemCert cert-pki-ca",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "msg": "Certificate ca.subsystem.cert not found in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
    }
  },
  {
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "b756144f-db95-4313-bca2-cde5deb3847a",
    "when": "20240328103638Z",
    "duration": "0.375804",
    "kw": {
      "key": "auditSigningCert cert-pki-ca",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "msg": "Certificate ca.audit_signing.cert not found in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
    }
  },
  {
    "source": "ipahealthcheck.dogtag.ca",
    "check": "DogtagCertsConfigCheck",
    "result": "ERROR",
    "uuid": "bd303d13-f971-4b31-bbba-84bb24a1c813",
    "when": "20240328103638Z",
    "duration": "0.376641",
    "kw": {
      "key": "Server-Cert cert-pki-ca",
      "configfile": "/var/lib/pki/pki-tomcat/conf/ca/CS.cfg",
      "msg": "Certificate ca.sslserver.cert not found in 
/var/lib/pki/pki-tomcat/conf/ca/CS.cfg"
    }
  }
]

--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it: 
https://pagure.io/fedora-infrastructure/new_issue

Reply via email to