Hi,
Thank you for your prompt reply Rob.
On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
Sigbjorn Lie wrote:
Hi,
I seem to have issues with the certificate system on my IPA installation.
Looking up hosts in
the IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno
-8015] error
(-8015)
unknown".
I also notice that hosts says the certificate system is unavailable.
certmonger: Server failed request, will retry: 4301 (RPC failed at server.
Certificate
operation cannot be completed: Failure decoding Certificate Signing Request).
Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
# tail -100 selftests.log
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
Initializing self test
plugins:
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: loading
all self test
plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem:
loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 CET]
[20] [1]
SelfTestSubsystem: loading all self test plugin
instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem: loading
self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET]
[20] [1]
SelfTestSubsystem: loading self test plugins in
startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem: Self test
plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET]
[20] [1]
SelfTestSubsystem: Running self test plugins
specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET]
[20] [1] CAPresence:
CA is present
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification:
system certs
verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
SelfTestSubsystem: The
CRITICAL self test plugin
called selftests.container.instance.SystemCertsVerification running at startup
FAILED!
the pki-cad service is running and "pki-cad status" displays the ports
available.
/etc/init.d/pki-cad status
pki-ca (pid 28697) is running... [ OK ]
My main consern is that the certmonger requests for renew of certificates for
LDAP on 2 out of
3
of the IPA servers has failed, and the current certificate is expiring the 19th
of January,
under a week from now.
Do you have any suggestions to where I can start troubleshootng this issue?
Check the trust on the audit certificate:
# certutil -L -d /var/lib/pki-ca/alias/
...
auditSigningCert cert-pki-ca u,u,Pu
All the 3 ipa servers return u,u,Pu for auditSigningCert
# certutil -L -d /var/lib/pki-ca/alias/
Certificate Nickname Trust Attributes
SSL,S/MIME,JAR/XPI
caSigningCert cert-pki-ca CTu,Cu,Cu
Server-Cert cert-pki-ca u,u,u
auditSigningCert cert-pki-ca u,u,Pu
ocspSigningCert cert-pki-ca u,u,u
subsystemCert cert-pki-ca u,u,u
If the trust is not u,u,Pu then you can fix it with:
# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
-t u,u,Pu
Then restart the CA and it should be ok.
I have restarted the dirsrv for PKI-IPA, and the pki-cad service on all 3 IPA
servers.
What is the status on the failed certmonger requests?
After I restarted dirsrv, pki-cad and then the httpd on ipa01 the status of the
request is now:
Request ID '20120119194518':
status: CA_UNREACHABLE
ca-error: Server failed request, will retry: 907 (RPC failed at server.
cannot connect to
'https://ipa01.dns.domain:443/ca/agent/ca/displayBySerial': [Errno -12269]
(SSL_ERROR_EXPIRED_CERT_ALERT) SSL peer rejected your certificate as expired.).
stuck: yes
key pair storage:
type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
Certificate
DB',pinfile='/etc/dirsrv/slapd-DNS-DOMAIN//pwdfile.txt'
certificate:
type=NSSDB,location='/etc/dirsrv/slapd-DNS-DOMAIN',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=DNS-DOMAIN
subject: CN=ipa01.dns.domain,O=DNS-DOMAIN
expires: 2014-01-19 19:45:18 UTC
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command:
track: yes
auto-renew: yes
However I cannot find the certificate that's expired?