Our old FreeIPA cluster ipa-server-4.6.8-5.el7 (which we will upgrade if/when this issue resolved) has a non functional CA due to the ocspSigningCert being expired.
I have tried all of the suggested fixes that others with this issue have suggested. ipa-cert-fix and running pki-server cert-fix directly all fail. ipa-cert-fix pki-server cert-fix --ldapi-socket /var/run/slapd-SNAFU-NET.socket --agent-uid ipara --cert ca_ocsp_signing I have also tried setting back the clock on one of the CA servers and running both ipa-cert-fix and getcert resubmit. This sugesstion https://access.redhat.com/solutions/3939431 was also tried. When I turn back the clock and restart the pki server at least I can look at the certificates as the CA. When the clock is normal the pki server will not start due to the invalid cert [13/Apr/2025:09:10:03][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certutils.verifySystemCertValidityByNickname: faliled: nickname:ocspSigningCert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname: failed: nickname: ocspSigningCert cert-pki-ca I turned on verbose=4 logging in CS.cfg and received the below debug output. The serial number of the ocsp cert is 580 as fas the certmonger is concerned. The pki server is seemingly connecting to LDAP to lookup that cert and ends up with the Record not found error. I can not seem to find which ldap tree the server is looking in for this record or which record it is searching for. I believe that I have all the correct certs in ldap under cn=ca_renewal, but of course the ocspSigningCert in ldap is expired. Does anyone know what is happening here and what a possible fix might be. All and any help is greatly appreciated cd /etc/pki/pki-tomcat/alias certutil -L -d . -n 'ocspSigningCert cert-pki-ca' Validity: Not Before: Fri Apr 14 13:00:01 2023 Not After : Thu Apr 03 13:00:01 2025 Subject: "CN=OCSP Subsystem,O=SNAFU.NET" Version: 3 (0x2) Serial Number: 580 (0x244) dn: cn=ca_renewal,cn=ipa,cn=etc,dc=snafu,dc=net dn: cn=ipaCert,cn=ca_renewal,cn=ipa,cn=etc,dc=snafu,dc=net dn: cn=subsystemCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=snafu,dc=net dn: cn=auditSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=snafu,dc=net dn: cn=ocspSigningCert cert-pki-ca,cn=ca_renewal,cn=ipa,cn=etc,dc=snafu,dc=net [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: CAProcessor.java:252:printParameterValues() CAProcessor: Input Parameters: [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: CAProcessor.java:264:printParameterValues() CAProcessor: - isRenewal: true [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: CAProcessor.java:264:printParameterValues() CAProcessor: - remoteHost: 10.17.1.18 [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: CAProcessor.java:264:printParameterValues() CAProcessor: - profileId: caManualRenewal [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: CAProcessor.java:264:printParameterValues() CAProcessor: - serial_num: 580 [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: CAProcessor.java:264:printParameterValues() CAProcessor: - remoteAddr: 10.17.1.18 [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: RenewalProcessor.java:90:processRenewal() RenewalProcessor: processRenewal() [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: RenewalProcessor.java:98:processRenewal() RenewalProcessor: profile: caManualRenewal [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: RenewalProcessor.java:149:processRenewal() RenewalProcessor: found SerialNumRenewInput [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: RenewalProcessor.java:157:processRenewal() RenewalProcessor: profile input serial_num value: 580 [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: RenewalProcessor.java:181:processRenewal() processRenewal: serial number of cert to renew:580 [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: LdapBoundConnFactory.java:324:getConn() In LdapBoundConnFactory::getConn() [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: LdapBoundConnFactory.java:326:getConn() masterConn is connected: true [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: LdapBoundConnFactory.java:368:getConn() getConn: conn is connected true [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: LdapBoundConnFactory.java:398:getConn() getConn: mNumConns now 2 [12/Apr/2025:17:55:31][http-bio-8443-exec-1]: LdapBoundConnFactory.java:444:returnConn() returnConn: mNumConns now 3 Record not found at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:182) at com.netscape.cmscore.dbs.DBSSession.read(DBSSession.java:137) at com.netscape.cmscore.dbs.CertificateRepository.readCertificateRecord(CertificateRepository.java:1023) at com.netscape.cms.servlet.cert.RenewalProcessor.processRenewal(RenewalProcessor.java:182) at com.netscape.cms.servlet.cert.CertRequestDAO.submitRequest(CertRequestDAO.java:194) at org.dogtagpki.server.ca.rest.CertRequestService.enrollCert(CertRequestService.java:155) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.jboss.resteasy.core.MethodInjectorImpl.invoke(MethodInjectorImpl.java:137) at org.jboss.resteasy.core.ResourceMethodInvoker.invokeOnTarget(ResourceMethodInvoker.java:280) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:234) at org.jboss.resteasy.core.ResourceMethodInvoker.invoke(ResourceMethodInvoker.java:221) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:356) at org.jboss.resteasy.core.SynchronousDispatcher.invoke(SynchronousDispatcher.java:179) at org.jboss.resteasy.plugins.server.servlet.ServletContainerDispatcher.service(ServletContainerDispatcher.java:220) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:56) at org.jboss.resteasy.plugins.server.servlet.HttpServletDispatcher.service(HttpServletDispatcher.java:51) at javax.servlet.http.HttpServlet.service(HttpServlet.java:731) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:175) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:297) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.tomcat.websocket.server.WsFilter.doFilter(WsFilter.java:52) at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method) at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62) at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43) at java.lang.reflect.Method.invoke(Method.java:498) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:288) at org.apache.catalina.security.SecurityUtil$1.run(SecurityUtil.java:285) at java.security.AccessController.doPrivileged(Native Method) at javax.security.auth.Subject.doAsPrivileged(Subject.java:549) at org.apache.catalina.security.SecurityUtil.execute(SecurityUtil.java:320) at org.apache.catalina.security.SecurityUtil.doAsPrivilege(SecurityUtil.java:260) at org.apache.catalina.core.ApplicationFilterChain.internalDoFilter(ApplicationFilterChain.java:237) at org.apache.catalina.core.ApplicationFilterChain.access$000(ApplicationFilterChain.java:55) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:191) at org.apache.catalina.core.ApplicationFilterChain$1.run(ApplicationFilterChain.java:187) at java.security.AccessController.doPrivileged(Native Method) at org.apache.catalina.core.ApplicationFilterChain.doFilter(ApplicationFilterChain.java:186) at org.apache.catalina.core.StandardWrapperValve.invoke(StandardWrapperValve.java:218) at org.apache.catalina.core.StandardContextValve.invoke(StandardContextValve.java:110) at org.apache.catalina.authenticator.AuthenticatorBase.invoke(AuthenticatorBase.java:498) -- _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
