Sigbjorn Lie wrote:
On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
Sigbjorn Lie wrote:
Hi,
I seem to have issues with the certificate system on my IPA installation.
Looking up hosts in
the IPA WEBUI on any of the IPA servers says "Certificate format error: [Errno
-8015] error
(-8015)
unknown".
I also notice that hosts says the certificate system is unavailable.
certmonger: Server failed request, will retry: 4301 (RPC failed at server.
Certificate
operation cannot be completed: Failure decoding Certificate Signing Request).
Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
# tail -100 selftests.log
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
Initializing self test
plugins:
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: loading
all self test
plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem:
loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33 CET]
[20] [1]
SelfTestSubsystem: loading all self test plugin
instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem: loading
self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33 CET]
[20] [1]
SelfTestSubsystem: loading self test plugins in
startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem: Self test
plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET]
[20] [1]
SelfTestSubsystem: Running self test plugins
specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET]
[20] [1] CAPresence:
CA is present
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification:
system certs
verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
SelfTestSubsystem: The
CRITICAL self test plugin
called selftests.container.instance.SystemCertsVerification running at startup
FAILED!
the pki-cad service is running and "pki-cad status" displays the ports
available.
/etc/init.d/pki-cad status
pki-ca (pid 28697) is running... [ OK ]
My main consern is that the certmonger requests for renew of certificates for
LDAP on 2 out of
3
of the IPA servers has failed, and the current certificate is expiring the 19th
of January,
under a week from now.
Do you have any suggestions to where I can start troubleshootng this issue?
Check the trust on the audit certificate:
# certutil -L -d /var/lib/pki-ca/alias/
...
auditSigningCert cert-pki-ca u,u,Pu
If the trust is not u,u,Pu then you can fix it with:
# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
-t u,u,Pu
Then restart the CA and it should be ok.
Looks like this certificate is expired. This is the same output on all 3 of the
ipa servers.
How can this be fixed?
# certutil -L -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=DNS.DOMAIN"
Validity:
Not Before: Thu Jan 19 19:44:24 2012
Not After : Wed Jan 08 19:44:24 2014
Go back in time to the 7th or 8th and run:
# getcert resubmit -d /var/lib/pki-ca/alias -n "auditSigningCert
cert-pki-ca"
There may be other certs in a similar situation. getcert list will show you.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
