On Thu, Aug 13, 2020 at 02:43:33AM +0000, Scott Z. via FreeIPA-users wrote: > Just in case it helps to narrow things down a bit or answers questions... > 1) The problem IdM server is the CA Master as far as I can tell (ran the > command "ipa config-show", saw that the IPA CA renewal master: was the same > server with the bad cert. > In any case, the CA renewal master setting shouldn't affect renewal of the Dogtag "Server-Cert cert-pki-ca" certificate. This is because the TLS server certificates are not shared; each server needs their own certificate.
> 2) Followed the steps in the Red Hat knowledge article at > https://access.redhat.com/solutions/3357261 > 3) As noted at the bottom of that page, I had pretty good success up until > the end. > > My current status is that I've done an ipactl restart > --ignore-service-failure, my timedate value is once again current, and when I > do a "getcert list" I see the offending cert (Server-Cert cert-pki-ca) listed > as CA_UNREACHABLE, with a ca-error value of Internal Error and of course > still showing an expiration date of Sep. 26, 2019. > > If I do a status check on the certmonger service I see lots of "Internal > Error" messages along with "Unspecified GSS failure. Minor code may provide > more information, Minor (2529639068): Cannot contact any KDC for realm > '<domain>'." > Was the KDC running at the time those certmonger GSS errors were produced? That could explain this error. It would help to see the /etc/pki/pki-tomcat/ca/debug log: - for the startup failures, that may indicate why Dogtag does not start up properly - and for the time period during which renewal of the problematic certificate is attempted Ensure PKI debug logging is at a verbose level. In /etc/pki/pki-tomcat/ca/CS.cfg, change the config: debug.level=0 It is counterintuitive but /lower/ number = higher verbosity. It would help to see certmonger journal output (`journalctl -u certmonger') covering the time period of the renewal attempt. Also, just seeing the all the certificates in the various location (especially Dogtag and dirsrv NSSDBs, including the CA certificates) would be helpful. I understand that you have security policies that may prevent you share all this in a public list (or making extra work for you to redact sensitive data). If it would allow you to share more logs/data, perhaps you could consider a commercial support subscription with Red Hat. Thanks, Fraser _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org