On 26.10.2018 19.09, Kees Bakker wrote: > > > On 26-10-18 18:00, Timo Aaltonen wrote: >> On 26.10.2018 18.59, Kees Bakker wrote: >>> On 26-10-18 14:55, Timo Aaltonen wrote: >>>> On 26.10.2018 09:59, Kees Bakker via FreeIPA-users wrote: >>>>> On 25-10-18 20:46, Timo Aaltonen wrote: >>>>>> On 25.10.2018 21.44, Rob Crittenden wrote: >>>>>>> Kees Bakker wrote: >>>>>>>> On 25-10-18 16:11, Rob Crittenden wrote: >>>>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>>>> On 25-10-18 14:18, Rob Crittenden wrote: >>>>>>>>>>> Kees Bakker via FreeIPA-users wrote: >>>>>>>>>>>> Could it be that this error already existed since we started? >>>>>>>>>>>> Notice >>>>>>>>>>>> the Request ID of 2016..., and the expires: 2018-10-24. >>>>>>>>>>>> >>>>>>>>>>>> # getcert list -n ipaCert | sed blabla >>>>>>>>>>>> Number of certificates and requests being tracked: 8. >>>>>>>>>>>> Request ID '20161103094546': >>>>>>>>>>>> status: CA_UNREACHABLE >>>>>>>>>>>> ca-error: Error 77 connecting to >>>>>>>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem >>>>>>>>>>>> with the SSL CA cert (path? access rights?). >>>>>>>>>>>> stuck: no >>>>>>>>>>>> key pair storage: >>>>>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>>>>> Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' >>>>>>>>>>>> certificate: >>>>>>>>>>>> type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS >>>>>>>>>>>> Certificate DB' >>>>>>>>>>>> CA: dogtag-ipa-ca-renew-agent >>>>>>>>>>>> issuer: CN=Certificate Authority,O=MYDOMAIN >>>>>>>>>>>> subject: CN=IPA RA,O=MYDOMAIN >>>>>>>>>>>> expires: 2018-10-24 08:45:40 UTC >>>>>>>>>>>> key usage: >>>>>>>>>>>> digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment >>>>>>>>>>>> eku: id-kp-serverAuth,id-kp-clientAuth >>>>>>>>>>>> pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre >>>>>>>>>>>> post-save command: /usr/lib/ipa/certmonger/renew_ra_cert >>>>>>>>>>>> track: yes >>>>>>>>>>>> auto-renew: yes >>>>>>>>>>>> >>>>>>>>>>>> In other words, is this the same issue as >>>>>>>>>>>> https://pagure.io/freeipa/issue/7422 ? >>>>>>>>>>> The problem is your certs expired yesterday so connections won't >>>>>>>>>>> work >>>>>>>>>>> (the code and message don't come from within certmonger). >>>>>>>>>>> >>>>>>>>>>> certmonger _should_ have renewed them. Try killing ntpd, going back >>>>>>>>>>> a >>>>>>>>>>> few days, restart krb5kdc, dirsrv, httpd and the CA then certmonger >>>>>>>>>>> and >>>>>>>>>>> see what happens. >>>>>>>>>>> >>>>>>>>>> Easy for you to say. You know what you're doing :-) >>>>>>>>>> For me it's all magic. >>>>>>>>>> >>>>>>>>>> Anyway, I'll try it. I'm just scared to set the clock back, because >>>>>>>>>> there may >>>>>>>>>> be clients in the network that use this server as a NTP server. >>>>>>>>>> >>>>>>>>>> Another thing I want to mention is that the error started showing up >>>>>>>>>> two days >>>>>>>>>> ago, on Oct 22, while the expiration is today, Oct 24. >>>>>>>>>> >>>>>>>>> It shouldn't take more than a few minutes to roll back time, restart >>>>>>>>> services and see what happens. I think your NTP clients will be able >>>>>>>>> to >>>>>>>>> recover ok if the server is not available for a few minutes. >>>>>>>>> >>>>>>>>> certmonger logs to syslog so you probably want to look at that to see >>>>>>>>> if >>>>>>>>> you can find a reason the certs weren't renewed automatically. >>>>>>>>> >>>>>>>> No, that didn't help. >>>>>>>> And in the syslog there was nothing more than this. (I had to stop the >>>>>>>> nameserver because it was spitting out lots of messages.) >>>>>>>> >>>>>>>> Oct 11 06:00:00 ipasrv systemd[1]: Time has been changed >>>>>>>> Oct 11 06:00:00 ipasrv systemd[52167]: Time has been changed >>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopping Certificate monitoring and >>>>>>>> PKI enrollment... >>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Stopped Certificate monitoring and >>>>>>>> PKI enrollment. >>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Starting Certificate monitoring and >>>>>>>> PKI enrollment... >>>>>>>> Oct 11 06:00:04 ipasrv systemd[1]: Started Certificate monitoring and >>>>>>>> PKI enrollment. >>>>>>>> Oct 11 06:00:05 ipasrv certmonger[131018]: 2018-10-11 06:00:05 >>>>>>>> [131018] Error 77 connecting to >>>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profile >>>>>>>> Review: Problem with the SSL CA cert (path? access rights?). >>>>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>>>>> request to dogtag-ipa-renew-agent >>>>>>>> Oct 11 06:00:07 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>>>>> dogtag-ipa-renew-agent returned 3 >>>>>>>> Oct 11 06:00:07 ipasrv certmonger[131018]: 2018-10-11 06:00:07 >>>>>>>> [131018] Error 77 connecting to >>>>>>>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Problem with >>>>>>>> the SSL CA cert (path? access rights?). >>>>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding >>>>>>>> request to dogtag-ipa-renew-agent >>>>>>>> Oct 11 06:00:17 ipasrv dogtag-ipa-ca-renew-agent-submit: >>>>>>>> dogtag-ipa-renew-agent returned 3 >>>>>>>> Oct 11 06:00:17 ipasrv certmonger[131018]: 2018-10-11 06:00:17 >>>>>>>> [131018] Error 77 connecting to >>>>>>>> https://ipasrv:8443/ca/agent/ca/profileReview: Problem with the SSL CA >>>>>>>> cert (path? access rights?). >>>>>>>> >>>>>>> Ok, I think I know what is going on. This is Ubuntu which AFAIK still >>>>>>> lacks nss-pem. That is probably why it can't connect to renew the certs. >>>>>>> >>>>>>> I don't know if there is a workaround. Timo, do you know? >>>>>> Ubuntu 18.04 and up have libnsspem, and certmonger depends on it. I've >>>>>> never tested cert renewal though. >>>>>> >>>>> Does that mean, I'm screwed? What options do I have? >>>>> Live with it? >>>>> Migrate to, say Centos? >>>>> Try to upgrade the server to Ubuntu 18.04 (with uncertainty whether it >>>>> will work)? >>>>> Something else? >>>> Stock 18.04 has other issues, there's an updated version on >>>> ppa:freeipa/staging which is backported from 18.10 and should be fine >>>> and hopefully provided as a stable update on 18.04 later on. >>>> >>>> But you could try pulling libnsspem from 18.04, and *then* roll back time? >>>> >>> I installed libnsspem_1.0.3-0ubuntu2_amd64.deb >>> >>> Then I stopped ntp (and bind). >>> Set the time back to Oct 11 >>> Restarted krb5-kdc, dirsrv@MYDOMAIN, apache2, pki-tomcatd, certmonger >>> (in that order). >>> >>> Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: Forwarding request >>> to dogtag-ipa-renew-agent >>> Oct 11 06:08:03 ipasrv dogtag-ipa-ca-renew-agent-submit: >>> dogtag-ipa-renew-agent returned 3 >>> Oct 11 06:08:03 ipasrv certmonger[168327]: 2018-10-11 06:08:03 [168327] >>> Error 60 connecting to >>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer certificate >>> cannot be authenticated with given CA certificates. >>> Oct 11 06:08:12 ipasrv certmonger[168327]: 2018-10-11 06:08:12 [168327] >>> Error 60 connecting to >>> https://ipasrv.mydomain:8443/ca/agent/ca/profileReview: Peer certificate >>> cannot be authenticated with given CA certificates. >>> >>> :-( >>> >>> Rob said also to restart CA. >>> "restart krb5kdc, dirsrv, httpd and the CA then certmonger" >>> I don't know which service that is. Does that matter? >> systemctl restart ipa? >> >> > I'm a bit scared to restart service ipa, because it also restarts several > other services, > link bind, and perhaps ntp. The latter is the one that I want to be > absolutely in control > of not starting. CA is 'pki-tomcatd', dirsrv is 'dirsrv@REALM' if you want to avoid restarting the whole thing
-- t _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
