On 9/16/20 10:52 AM, Stuart McRobert via FreeIPA-users wrote:
Dear flo,
Thank you for your help with this, but something still seems to be
preventing the renewal from actually happening even after going back in
time, and waiting.
My service slot is open until lunchtime today so hopefully be a quick
additonal step required to get this fixed.
Any ideas?
Thanks
Best wishes
Stuart
After a reboot...
[root@freeipa01 ~]# ipactl start --ignore-service-failures
Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting ipa_memcached Service
Starting httpd Service
Failed to start httpd Service
Forced start, ignoring httpd Service, continuing normal operation
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service
Failed to start pki-tomcatd Service
Forced start, ignoring pki-tomcatd Service, continuing normal operation
Starting ipa-otpd Service
ipa: INFO: The ipactl command was successful
[root@freeipa01 ~]# [root@freeipa01 ~]# systemctl stop ntpd.service
[root@freeipa01 ~]# date
Wed 16 Sep 09:09:19 BST 2020
[root@freeipa01 ~]# date 08160838
Sun 16 Aug 08:38:00 BST 2020
[root@freeipa01 ~]# date
Sun 16 Aug 08:38:04 BST 2020
[root@freeipa01 ~]# systemctl start httpd
[root@freeipa01 ~]# systemctl status httpd
● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled;
vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─ipa.conf
Active: active (running) since Sun 2020-08-16 08:38:33 BST; 7s ago
Docs: man:httpd.service(8)
Process: 1221 ExecStopPost=/usr/bin/kdestroy -A (code=exited,
status=0/SUCCESS)
Process: 1703 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy
(code=exited, status=0/SUCCESS)
Main PID: 1704 (httpd)
Status: "Processing requests..."
Tasks: 92 (limit: 4915)
CGroup: /system.slice/httpd.service
├─1704 /usr/sbin/httpd -DFOREGROUND
├─1705 /usr/libexec/nss_pcache 589836 off /etc/httpd/alias
├─1706 (wsgi:kdcproxy) -DFOREGROUND
├─1707 (wsgi:kdcproxy) -DFOREGROUND
├─1708 (wsgi:ipa) -DFOREGROUND
├─1709 (wsgi:ipa) -DFOREGROUND
├─1710 /usr/sbin/httpd -DFOREGROUND
├─1711 /usr/sbin/httpd -DFOREGROUND
├─1712 /usr/sbin/httpd -DFOREGROUND
├─1713 /usr/sbin/httpd -DFOREGROUND
└─1714 /usr/sbin/httpd -DFOREGROUND
Aug 16 08:38:33 freeipa01.OUR_DOMAIN systemd[1]: Starting The Apache
HTTP Server...
Aug 16 08:38:33 freeipa01.OUR_DOMAIN ipa-httpd-kdcproxy[1703]:
ipa : INFO KDC proxy enabled
Aug 16 08:38:33 freeipa01.OUR_DOMAIN systemd[1]: Started The Apache HTTP
Server.
At this point you also need to restart pki:
# systemctl start pki-tomcatd@pki-tomcat.service
This component is the Certificate Authority and if it's not running, the
cert can't be renewed.
Then retry the getcert resubmit.
HTH,
flo
[root@freeipa01 ~]# getcert resubmit -i 20170405152512
Resubmitting "20170405152512" to "IPA".
[root@freeipa01 ~]# sleep 200
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed with
status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 08:43:50 BST 2020
[root@freeipa01 ~]# [root@freeipa01 ~]# [root@freeipa01 ~]# getcert list
-i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed with
status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# getcert list -i 20170405152512
Number of certificates and requests being tracked: 8.
Request ID '20170405152512':
status: CA_UNREACHABLE
ca-error: Server at https://freeipa01.OUR_DOMAIN/ipa/xml failed
request, will retry: 4035 (RPC failed at server. Request failed with
status 500: Non-2xx response from CA REST API: 500. ).
stuck: no
key pair storage:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
certificate:
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
Certificate DB'
CA: IPA
issuer: CN=Certificate Authority,O=OUR_DOMAIN_UC
subject: CN=freeipa01.OUR_DOMAIN,O=OUR_DOMAIN_UC
expires: 2020-09-04 17:46:56 BST
principal name: HTTP/freeipa01.OUR_DOMAIN@OUR_DOMAIN_UC
key usage:
digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
eku: id-kp-serverAuth,id-kp-clientAuth
pre-save command:
post-save command: /usr/libexec/ipa/certmonger/restart_httpd
track: yes
auto-renew: yes
[root@freeipa01 ~]# date
Sun 16 Aug 08:58:23 BST 2020
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
