On 01/08/2015 07:54 PM, Rob Crittenden wrote:
John Desantis wrote:
Hello all,
I didn't reply to the list, so I'll forward in my response.
The only remaining hiccup is now the replica's certmonger service
keeps dying while failing to re-issue the "ipaCert" in
/etc/httpd/alias. Log snippets are below:
Jan 7 12:17:02 python: certmonger restarted httpd
Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" is no longer valid.
Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" issued by CA but not
saved.
The IPA services are running and the machine can be accessed (queries
issued, web GUI, etc.)
Would anyone have an idea of why a replica would have issues renewing
the "ipaCert"?
CCing Jan to advise, he is the most experienced in this area.
Would file corruption within the file of the "Request ID" in
/var/lib/certmonger/request have anything to do with this?
autorenew=1
monitor=1
ca_name=dogtag-ipa-retrieve-agent-submit
ca_profile=ipaCert
submitted=20141228050011
cert=ESC[?1034h-----BEGIN CERTIFICATE-----
I checked a few other random client nodes (and the master) and none of
them are showing this corruption in their requests.
I attempted to fix the corruption (editing the file) and subsequently
restart certmonger with no luck.
Thanks,
John DeSantis
Thanks,
John DeSantis
2015-01-08 13:26 GMT-05:00 John Desantis <desan...@mail.usf.edu>:
Hello all,
The only remaining hiccup is now the replica's certmonger service
keeps dying while failing to re-issue the "ipaCert" in
/etc/httpd/alias. Log snippets are below:
Jan 7 12:17:02 python: certmonger restarted httpd
Jan 7 12:17:03 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" issued by CA and saved.
Jan 7 12:17:08 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" is no longer valid.
Jan 7 12:17:40 certmonger: Certificate named "ipaCert" in token "NSS
Certificate DB" in database "/etc/httpd/alias" issued by CA but not
saved.
The IPA services are running and the machine can be accessed (queries
issued, web GUI, etc.)
Would anyone have an idea of why a replica would have issues renewing
the "ipaCert"?
CCing Jan to advise, he is the most experienced in this area.
Would file corruption within the file of the "Request ID" in
/var/lib/certmonger/request have anything to do with this?
autorenew=1
monitor=1
ca_name=dogtag-ipa-retrieve-agent-submit
ca_profile=ipaCert
submitted=20141228050011
cert=ESC[?1034h-----BEGIN CERTIFICATE-----
I checked a few other random client nodes (and the master) and none of
them are showing this corruption in their requests.
I attempted to fix the corruption (editing the file) and subsequently
restart certmonger with no luck.
Thanks,
John DeSantis
Ah, that sounds familiar. See https://fedorahosted.org/freeipa/ticket/4064
The change is quite small, you might try manually changing it.
Then a certmonger restart might fix it.
rob
Ah, yes, this one is nasty. As Rob said, this is likely
https://bugzilla.redhat.com/show_bug.cgi?id=1040009
I would suggest updating to RHEL-6, at least IPA (ipa-3.0.0-38.el6 or later),
certmonger and selinux-policy as there were related fixes.
HTH,
Martin
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go To http://freeipa.org for more info on the project