On 26.10.2018 18.59, Kees Bakker wrote: > On 26-10-18 14:55, Timo Aaltonen wrote: >> On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >>> On 25-10-18 20:46, Timo Aaltonen wrote: >>>> On 25.10.2018 21.44, Rob Crittenden wrote: >>>>> Kees Bakker wrote: >>>>>> On 25-10-18 16:11, Rob Crittenden wrote: >>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>> On 25-10-18 14:18, Rob Crittenden wrote: >>>>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>>>> Could it be that this error already existed since we started? Notice >>>>>>>>>> the Request ID of 2016..., and the expires: 2018-10-24. >>>>>>>>>> >>>>>>>>>> # getcert list -n ipaCert | sed blabla >>>>>>>>>> Number of certificates and requests being tracked: 8. >>>>>>>>>> Request ID '20161103094546': >>>>>>>>>> status: CA_UNREACHABLE >>>>>>>>>> ca-error: Error 77 connecting to >>>>>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with >>>>>>>>>> the SSL CA cert (path? access rights?). >>>>>>>>>> stuck: no >>>>>>>>>> key pair storage: >>>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >>>>>>>>>> certificate: >>>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>>> Certificate DB' >>>>>>>>>> CA: dogtag-ipa-ca-renew-agent >>>>>>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN >>>>>>>>>> subject: CN=IPA RA,O=MYDOMAIN >>>>>>>>>> expires: 2018-10-24 08:45:40 UTC >>>>>>>>>> key usage: >>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >>>>>>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >>>>>>>>>> track: yes >>>>>>>>>> auto-renew: yes >>>>>>>>>> >>>>>>>>>> In other words, is this the same issue as >>>>>>>>>> https://pagure.io/freeipa/issue/7422 ? >>>>>>>>> The problem is your certs expired yesterday so connections won't work >>>>>>>>> (the code and message don't come from within certmonger). >>>>>>>>> >>>>>>>>> certmonger _should_ have renewed them. Try killing ntpd, going back a >>>>>>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger >>>>>>>>> and >>>>>>>>> see what happens. >>>>>>>>> >>>>>>>> Easy for you to say. You know what you're doing :-) >>>>>>>> For me it's all magic. >>>>>>>> >>>>>>>> Anyway, I'll try it. I'm just scared to set the clock back, because >>>>>>>> there may >>>>>>>> be clients in the network that use this server as a NTP server. >>>>>>>> >>>>>>>> Another thing I want to mention is that the error started showing up >>>>>>>> two days >>>>>>>> ago, on Oct 22, while the expiration is today, Oct 24. >>>>>>>> >>>>>>> It shouldn't take more than a few minutes to roll back time, restart >>>>>>> services and see what happens. I think your NTP clients will be able to >>>>>>> recover ok if the server is not available for a few minutes. >>>>>>> >>>>>>> certmonger logs to syslog so you probably want to look at that to see if >>>>>>> you can find a reason the certs weren't renewed automatically. >>>>>>> >>>>>> No, that didn't help. >>>>>> And in the syslog there was nothing more than this. (I had to stop the >>>>>> nameserver because it was spitting out lots of messages.) >>>>>> >>>>>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed >>>>>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed >>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and >>>>>> PKI enrollment... >>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and >>>>>> PKI enrollment. >>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and >>>>>> PKI enrollment... >>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and >>>>>> PKI enrollment. >>>>>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 [131018] >>>>>> Error 77 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profile >>>>>> Review: Problem with the SSL CA cert (path? access rights?). >>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>>> request to dogtag-ipa-renew-agent >>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>>> dogtag-ipa-renew-agent returned 3 >>>>>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 [131018] >>>>>> Error 77 connecting to >>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with the >>>>>> SSL CA cert (path? access rights?). >>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>>> request to dogtag-ipa-renew-agent >>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>>> dogtag-ipa-renew-agent returned 3 >>>>>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 [131018] >>>>>> Error 77 connecting to https://ipasrv:8443/ca/agent/ca/profileReview: >>>>>> Problem with the SSL CA cert (path? access rights?). >>>>>> >>>>> Ok, I think I know what is going on. This is Ubuntu which AFAIK still >>>>> lacks nss-pem. That is probably why it can't connect to renew the certs. >>>>> >>>>> I don't know if there is a workaround. Timo, do you know? >>>> Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've >>>> never tested cert renewal though. >>>> >>> Does that mean, I'm screwed? What options do I have? >>> Live with it? >>> Migrate to, say Centos? >>> Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it will >>> work)? >>> Something else? >> Stock 18.04 has other issues, there's an updated version on >> ppa:freeipa/staging which is backported from 18.10 and should be fine >> and hopefully provided as a stable update on 18.04 later on. >> >> But you could try pulling libnsspem from 18.04, and *then* roll back time? >> > > I installed libnsspem_1.0.3-0ubuntu2_amd64.deb > > Then I stopped ntp (and bind). > Set the time back to Oct 11 > Restarted krb5-kdc, dirsrv@MYDOMAIN, apache2, pki-tomcatd, certmonger > (in that order). > > Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request > to dogtag-ipa-renew-agent > Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: > dogtag-ipa-renew-agent returned 3 > Oct 11 06:08:03 ipasrv certmonger[168327]: 2018-10-11 06:08:03 [168327] Error > 60 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > Oct 11 06:08:12 ipasrv certmonger[168327]: 2018-10-11 06:08:12 [168327] Error > 60 connecting to https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer > certificate cannot be authenticated with given CA certificates. > > :-( > > Rob said also to restart CA. > "restart krb5kdc, dirsrv, httpd and the CA then certmonger" > I don't know which service that is. Does that matter?
systemctl restart ipa? -- t _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
