Sigbjorn Lie wrote:
On Mon, January 13, 2014 16:34, Rob Crittenden wrote:
Sigbjorn Lie wrote:
On Mon, January 13, 2014 15:58, Rob Crittenden wrote:
Sigbjorn Lie wrote:
Hi,
I seem to have issues with the certificate system on my IPA installation.
Looking up hosts
in the IPA WEBUI on any of the IPA servers says "Certificate format error:
[Errno -8015]
error (-8015)
unknown".
I also notice that hosts says the certificate system is unavailable.
certmonger: Server failed request, will retry: 4301 (RPC failed at server.
Certificate
operation cannot be completed: Failure decoding Certificate Signing Request).
Looking at the pki-ca logs on the ipa servers I see that some selftest failed:
# tail -100 selftests.log
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem:
Initializing self test
plugins:
28697.main - [13/Jan/2014:15:06:33 CET] [20] [1] SelfTestSubsystem: loading
all self test
plugin logger parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem:
loading all self test plugin instances 28697.main - [13/Jan/2014:15:06:33
CET] [20] [1]
SelfTestSubsystem: loading all self test plugin
instance parameters 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem:
loading self test plugins in on-demand order 28697.main - [13/Jan/2014:15:06:33
CET] [20]
[1]
SelfTestSubsystem: loading self test plugins in
startup order 28697.main - [13/Jan/2014:15:06:33 CET] [20] [1]
SelfTestSubsystem: Self test
plugins have been successfully loaded! 28697.main - [13/Jan/2014:15:06:34 CET]
[20] [1]
SelfTestSubsystem: Running self test plugins
specified to be executed at startup: 28697.main - [13/Jan/2014:15:06:34 CET]
[20] [1]
CAPresence:
CA is present
28697.main - [13/Jan/2014:15:06:34 CET] [20] [1] SystemCertsVerification:
system certs
verification failure 28697.main - [13/Jan/2014:15:06:34 CET] [20] [1]
SelfTestSubsystem: The
CRITICAL self test plugin
called selftests.container.instance.SystemCertsVerification running at startup
FAILED!
the pki-cad service is running and "pki-cad status" displays the ports
available.
/etc/init.d/pki-cad status
pki-ca (pid 28697) is running... [ OK ]
My main consern is that the certmonger requests for renew of certificates for
LDAP on 2 out
of 3
of the IPA servers has failed, and the current certificate is expiring the 19th
of January,
under a week from now.
Do you have any suggestions to where I can start troubleshootng this issue?
Check the trust on the audit certificate:
# certutil -L -d /var/lib/pki-ca/alias/
...
auditSigningCert cert-pki-ca u,u,Pu
If the trust is not u,u,Pu then you can fix it with:
# certutil -M -d /var/lib/pki-ca/alias -n 'auditSigningCert cert-pki-ca'
-t u,u,Pu
Then restart the CA and it should be ok.
Looks like this certificate is expired. This is the same output on all 3 of the
ipa servers.
How can this be fixed?
# certutil -L -d /var/lib/pki-ca/alias/ -n "auditSigningCert cert-pki-ca"
Certificate:
Data:
Version: 3 (0x2)
Serial Number: 5 (0x5)
Signature Algorithm: PKCS #1 SHA-256 With RSA Encryption
Issuer: "CN=Certificate Authority,O=DNS.DOMAIN"
Validity:
Not Before: Thu Jan 19 19:44:24 2012
Not After : Wed Jan 08 19:44:24 2014
Go back in time to the 7th or 8th and run:
# getcert resubmit -d /var/lib/pki-ca/alias -n "auditSigningCert
cert-pki-ca"
There may be other certs in a similar situation. getcert list will show you.
Ouch. That would be rather disruptive I suppose. There is quite a lot of
activity going to this
server, not to mention it's the primary ntp and dns server for the network.
Do you suppose this todo list will work ?
Firewall off the rest of the network, leaving the ipa server alone
Stop ntpd
Set date to 8th of January
Run the getcert resubmit command.
Change date back to correct date
Start ntpd
Remove the firewall rules
Looks good. I'd restart the certmonger service rather than resubmitting
each individually. Be prepared for renewal to not succeed. For some
reason it didn't on and before expiration time so whatever problem
existed then likely still remains.
So the question to ask is "what will I do if renewal fails again?"
Nothing catastrophic will happen, but it will likely mean having to roll
forward again, debug, roll back, try again, and perhaps more than once.
It's hard to say w/o knowing why it failed in the first place.
How many of the services is required to be restarted for the renewal to work
after the date is
changed to the 7th?
The renewal itself should restart the required services.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users
