Hi, On Wed, Dec 18, 2024 at 11:00 AM Dmitry Krasov via FreeIPA-users < freeipa-users@lists.fedorahosted.org> wrote:
> I tryied to update certs on test environment with this instructions, but > it updated webserver's certs only with CA_UNREACHABLE status. > https://www.freeipa.org/page/IPA_2x_Certificate_Renewal The above instructions are for IPA 2.x and do not apply to IPA 4.11. The code of the CA helpers was consolidated and the tracking requests do not use the same CA helpers. > > Number of certificates and requests being tracked: 8. > Request ID '20221130052539': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='auditSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > With IPA 4.11 this cert is using the CA helper dogtag-ipa-ca-renew-agent, not dogtag-ipa-renew-agent. issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=CA Audit,O=DOM.LOC > expires: 2024-11-19 05:25:15 UTC > key usage: digitalSignature,nonRepudiation > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "auditSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052540': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='ocspSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > Same comment, the tracking is now using a wrong CA helper. issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=OCSP Subsystem,O=DOM.LOC > expires: 2024-11-19 05:25:14 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > eku: id-kp-OCSPSigning > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "ocspSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052541': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='subsystemCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > Same comment. > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=CA Subsystem,O=DOM.LOC > expires: 2024-11-19 05:25:14 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "subsystemCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052542': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='caSigningCert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-ca-renew-agent > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=Certificate Authority,O=DOM.LOC > expires: 2042-11-30 05:25:14 UTC > key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "caSigningCert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052543': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='ipaCert',token='NSS > Certificate DB' > CA: dogtag-ipa-renew-agent > Same comment > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=IPA RA,O=DOM.LOC > expires: 2024-11-19 05:25:36 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: /usr/lib/ipa/certmonger/renew_ra_cert_pre > post-save command: /usr/lib/ipa/certmonger/renew_ra_cert > track: yes > auto-renew: yes > Request ID '20221130052544': > status: CA_UNREACHABLE > ca-error: Error 7 connecting to > https://ipa.dom.loc:8443/ca/agent/ca/profileReview: Couldn't connect to > server. > stuck: no > key pair storage: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB',pin set > certificate: > type=NSSDB,location='/etc/pki/pki-tomcat/alias',nickname='Server-Cert > cert-pki-ca',token='NSS Certificate DB' > CA: dogtag-ipa-renew-agent > Same comment. > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=ipa.dom.loc,O=DOM.LOC > expires: 2024-11-19 05:25:14 UTC > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth > pre-save command: /usr/lib/ipa/certmonger/stop_pkicad > post-save command: /usr/lib/ipa/certmonger/renew_ca_cert > "Server-Cert cert-pki-ca" > track: yes > auto-renew: yes > Request ID '20221130052605': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: Unable to communicate with CMS (503)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/dirsrv/slapd-DOM-LOC/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/dirsrv/slapd-DOM-LOC',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=ipa.dom.loc,O=DOM.LOC > expires: 2026-10-18 21:32:34 UTC > principal name: ldap/ipa.dom....@dom.loc > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_dirsrv DOM-LOC > track: yes > auto-renew: yes > Request ID '20221130052625': > status: CA_UNREACHABLE > ca-error: Server at https://ipa.dom.loc/ipa/xml failed request, > will retry: 4301 (RPC failed at server. Certificate operation cannot be > completed: Unable to communicate with CMS (503)). > stuck: no > key pair storage: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB',pinfile='/etc/apache2/nssdb/pwdfile.txt' > certificate: > type=NSSDB,location='/etc/apache2/nssdb',nickname='Server-Cert',token='NSS > Certificate DB' > CA: IPA > issuer: CN=Certificate Authority,O=DOM.LOC > subject: CN=ipa.dom.loc,O=DOM.LOC > expires: 2026-10-18 21:32:23 UTC > principal name: HTTP/ipa.dom....@dom.loc > key usage: > digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment > eku: id-kp-serverAuth,id-kp-clientAuth > pre-save command: > post-save command: /usr/lib/ipa/certmonger/restart_httpd > track: yes > auto-renew: yes > You will have to fix the tracking requests first (call getcert start-tracking with the right -c argument), and then you can follow the link <https://docs.redhat.com/en/documentation/Red_Hat_Enterprise_Linux/9/html-single/managing_certificates_in_idm/index#renewing-expired-system-certificates-on-a-ca_renewing-expired-system-certificates-when-idm-is-offline> I provided in my first message or this one: https://www.freeipa.org/page/Troubleshooting/PKI.html#ipa-won-t-start-expired-certificates to use ipa-cert-fix. HTH, flo > -- > _______________________________________________ > FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org > To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org > Do not reply to spam, report it: > https://pagure.io/fedora-infrastructure/new_issue >
-- _______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue
