On Пан, 09 вер 2024, Nick Allen via FreeIPA-users wrote:
Hello, we have two FreeIPA servers, one is configured as CA master. We
noticed the 2-year expiration of the certificates on one of the replicas is
approaching and the auto-renewal is failing with a CA_UNREACHABLE status,
error code 4001.
Note that these two FreeIPA servers are replicas of a since decommissioned
original that was removed from the topology a while back.
Per Florence's suggestion to add debug logs to http daemon and resending a
cert request (thank you), we see the following errors in
/var/log/httpd/error_log:
This all sounds like IPA CA LDAP entry is missing. It should be added by
the upgrade code, even in IPA 4.6 series.
You can run manually as root on that server:
# ipa-server-upgrade
This should add CA entries. On my system I do have them already do
running ipa-server-upgrade only looks them up:
[10/Sep/2024:05:42:30.192479317 +0000] conn=5 op=249 SRCH
base="cn=cas,cn=ca,dc=ipa1,dc=test" scope=0 filter="(objectClass=*)" attrs=ALL
[10/Sep/2024:05:42:30.192674713 +0000] conn=5 op=249 RESULT err=0 tag=101
nentries=1 wtime=0.000092394 optime=0.000196278 etime=0.000287429
[10/Sep/2024:05:42:30.192957674 +0000] conn=5 op=250 SRCH
base="cn=ipa,cn=cas,cn=ca,dc=ipa1,dc=test" scope=0 filter="(objectClass=*)"
attrs=ALL
[10/Sep/2024:05:42:30.193043505 +0000] conn=5 op=250 RESULT err=0 tag=101
nentries=1 wtime=0.000096161 optime=0.000087393 etime=0.000182432
On your system I'd imagine cn=ipa,cn=cas,cn=ca,.... will not be found
(err=32) and will then follow up with the creation of that entry. You
will see that in the dirsrv logs.
[Mon Sep 09 15:16:37.590119 2024] [:error] [pid 148275] ipa: DEBUG: WSGI
wsgi_dispatch.__call__:
[Mon Sep 09 15:16:37.590182 2024] [:error] [pid 148275] ipa: DEBUG:
KerberosWSGIExecutioner.__call__:
[Mon Sep 09 15:16:37.598332 2024] [:error] [pid 148275] ipa: DEBUG: Created
connection context.ldap2_139787230862608
[Mon Sep 09 15:16:37.598389 2024] [:error] [pid 148275] ipa: DEBUG: WSGI
WSGIExecutioner.__call__:
[Mon Sep 09 15:16:37.603355 2024] [:error] [pid 148275] ipa: DEBUG: raw:
cert_request(u'xxxxxxx', profile_id=u'caIPAserviceCert',
principal=u'ldap/host.company.local@COMPANY.LOCAL', add=True,
version=u'2.51')
[Mon Sep 09 15:16:37.603985 2024] [:error] [pid 148275] ipa: DEBUG:
cert_request(<cryptography.hazmat.backends.openssl.x509._CertificateSigningRequest
object at 0x7f22c5221f90>, request_type=u'pkcs10',
profile_id=u'caIPAserviceCert', cacn=u'ipa',
principal=ipapython.kerberos.Principal('ldap/host.company.local@COMPANY.LOCAL'),
add=True, chain=False, all=False, raw=False, version=u'2.51')
[Mon Sep 09 15:16:37.604207 2024] [:error] [pid 148275] ipa: DEBUG: raw:
ca_is_enabled(version=u'2.237')
[Mon Sep 09 15:16:37.604264 2024] [:error] [pid 148275] ipa: DEBUG:
ca_is_enabled(version=u'2.237')
[Mon Sep 09 15:16:37.605642 2024] [:error] [pid 148275] ipa: DEBUG:
retrieving schema for SchemaCache
url=ldapi://%2fvar%2frun%2fslapd-COMPANY-LOCAL.socket
conn=<ldap.ldapobject.SimpleLDAPObject instance at 0x7f22bfaa0a70>
[Mon Sep 09 15:16:37.851204 2024] [:error] [pid 148275] ipa: DEBUG: raw:
ca_show(u'ipa', chain=False, all=False, version=u'2.237')
[Mon Sep 09 15:16:37.851345 2024] [:error] [pid 148275] ipa: DEBUG:
ca_show(u'ipa', rights=False, chain=False, all=False, raw=False,
version=u'2.237')
[Mon Sep 09 15:16:37.851457 2024] [:error] [pid 148275] ipa: DEBUG: raw:
ca_is_enabled(version=u'2.237')
[Mon Sep 09 15:16:37.851521 2024] [:error] [pid 148275] ipa: DEBUG:
ca_is_enabled(version=u'2.237')
[Mon Sep 09 15:16:37.858466 2024] [:error] [pid 148275] ipa: DEBUG: WSGI
wsgi_execute PublicError: Traceback (most recent call last):
[Mon Sep 09 15:16:37.858486 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipaserver/rpcserver.py", line 369, in
wsgi_execute
[Mon Sep 09 15:16:37.858489 2024] [:error] [pid 148275] result =
command(*args, **options)
[Mon Sep 09 15:16:37.858506 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__
[Mon Sep 09 15:16:37.858510 2024] [:error] [pid 148275] return
self.__do_call(*args, **options)
[Mon Sep 09 15:16:37.858512 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in
__do_call
[Mon Sep 09 15:16:37.858515 2024] [:error] [pid 148275] ret =
self.run(*args, **options)
[Mon Sep 09 15:16:37.858518 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Mon Sep 09 15:16:37.858520 2024] [:error] [pid 148275] return
self.execute(*args, **options)
[Mon Sep 09 15:16:37.858522 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/cert.py", line 657, in
execute
[Mon Sep 09 15:16:37.858525 2024] [:error] [pid 148275] ca_obj =
api.Command.ca_show(ca, all=all, chain=chain)['result']
[Mon Sep 09 15:16:37.858527 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 450, in __call__
[Mon Sep 09 15:16:37.858530 2024] [:error] [pid 148275] return
self.__do_call(*args, **options)
[Mon Sep 09 15:16:37.858532 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 478, in
__do_call
[Mon Sep 09 15:16:37.858535 2024] [:error] [pid 148275] ret =
self.run(*args, **options)
[Mon Sep 09 15:16:37.858537 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipalib/frontend.py", line 800, in run
[Mon Sep 09 15:16:37.858539 2024] [:error] [pid 148275] return
self.execute(*args, **options)
[Mon Sep 09 15:16:37.858542 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/ca.py", line 249, in
execute
[Mon Sep 09 15:16:37.858544 2024] [:error] [pid 148275] result =
super(ca_show, self).execute(*keys, **options)
[Mon Sep 09 15:16:37.858555 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line
1330, in execute
[Mon Sep 09 15:16:37.858557 2024] [:error] [pid 148275] raise
self.obj.handle_not_found(*keys)
[Mon Sep 09 15:16:37.858560 2024] [:error] [pid 148275] File
"/usr/lib/python2.7/site-packages/ipaserver/plugins/baseldap.py", line 766,
in handle_not_found
[Mon Sep 09 15:16:37.858562 2024] [:error] [pid 148275] 'pkey': pkey,
'oname': self.object_name,
[Mon Sep 09 15:16:37.858565 2024] [:error] [pid 148275] NotFound: ipa:
Certificate Authority not found
[Mon Sep 09 15:16:37.858567 2024] [:error] [pid 148275]
[Mon Sep 09 15:16:37.858774 2024] [:error] [pid 148275] ipa: INFO:
[xmlserver] host/host.company.local@COMPANY.LOCAL:
cert_request(u'xxxxxxxxx', profile_id=u'caIPAserviceCert',
principal=u'ldap/host.company.local@COMPANY.LOCAL', add=True,
version=u'2.51'): NotFound
[Mon Sep 09 15:16:37.858837 2024] [:error] [pid 148275] ipa: DEBUG:
response: NotFound: ipa: Certificate Authority not found
[Mon Sep 09 15:16:37.859575 2024] [:error] [pid 148275] ipa: DEBUG:
Destroyed connection context.ldap2_139787230862608
There is a "handle_not_found" error, apparently, but not sure which handle
that refers to or how to resolve. Any help would be appreciated!
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam, report it:
https://pagure.io/fedora-infrastructure/new_issue
