{"id":6088,"date":"2022-09-28T01:41:56","date_gmt":"2022-09-28T05:41:56","guid":{"rendered":"https:\/\/microdevsys.com\/wp\/?p=6088"},"modified":"2022-09-30T13:34:48","modified_gmt":"2022-09-30T17:34:48","slug":"internal-database-error-encountered-could-not-connect-to-ldap-server-host-idmipa01-nix-mds-xyz-port-636-error-netscape-ldap-ldapexception-authentication-failed-48","status":"publish","type":"post","link":"https:\/\/microdevsys.com\/wp\/internal-database-error-encountered-could-not-connect-to-ldap-server-host-idmipa01-nix-mds-xyz-port-636-error-netscape-ldap-ldapexception-authentication-failed-48\/","title":{"rendered":"Internal Database Error encountered: Could not connect to LDAP server host idmipa01.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: Authentication failed (48)"},"content":{"rendered":"

\n\tRestore VM's from snapshot.  Yes, this is a new attempt at restoring some FreeIPA hosts that have been, ahem, neglected slightly to the point where things expired and don't work.  A few unexpected reboots and FS corruption didn't help the matter either.  Regardless, the recovery will in many ways show off the restoration capabilities of.FreeIPA which have certinly grew with the product.  Once again we see the following in the debug logs:\n<\/p>\n

\n\t# tail -f \/var\/log\/pki\/pki-tomcat\/ca\/debug -n 200<\/strong>
\n\tCould not connect to LDAP server host idmipa01.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
\n\tInternal Database Error encountered: Could not connect to LDAP server host idmipa01.nix.mds.xyz port 636 Error netscape.ldap.LDAPException: Authentication failed (48)
\n\t        at com.netscape.cmscore.dbs.DBSubsystem.init(DBSubsystem.java:689)<\/span>\n<\/p>\n

\n\tUse idmipa01<\/strong> to fix certificates.  Set idmipa01<\/strong> as renewal master, if not already:\n<\/p>\n

\n\t# ipa config-mod \\
\n\t      –ca-renewal-master-server idmipa01.nix.mds.xyz \\
\n\t      | grep 'CA renewal master'<\/span><\/strong>\n<\/p>\n

\n\tSet idmipa02 as following the renewal master (idmipa01 is designated \/ defacto master in the cluster)\n<\/p>\n

\n\t[ idmipa01 ]
\n\t# ipa config-show | grep 'IPA CA renewal master'<\/strong>
\n\t  IPA CA renewal master: idmipa02.nix.mds.xyz<\/span>\n<\/p>\n

\n\t[ idmipa02 ]
\n\t# ipa config-show | grep 'IPA CA renewal master'<\/strong>
\n\t  IPA CA renewal master: idmipa02.nix.mds.xyz<\/span>\n<\/p>\n

\n\t[ idmipa02 ]
\n\t# ipa config-mod \\
\n\t      –ca-renewal-master-server idmipa01.nix.mds.xyz \\
\n\t      | grep 'CA renewal master'<\/strong><\/span>\n<\/p>\n

\n\tOnce this is done, certs appear with expiration dates as below:\n<\/p>\n

\n\t# getcert list|grep -Ei expire<\/strong>
\n\t        expires: 2022-09-12 03:14:57 UTC
\n\t        expires: 2020-10-03 20:04:58 UTC
\n\t        expires: 2022-09-12 03:13:58 UTC
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\tStart the IPA service ignoring failures:\n<\/p>\n

\n\t# ipactl restart –ignore-service-failure<\/span><\/strong>\n<\/p>\n

\n\tFollow steps on this RH blog:\n<\/p>\n

\n\thttps:\/\/access.redhat.com\/solutions\/3357261<\/a>\n<\/p>\n

\n\t# systemctl stop ntpd<\/span><\/strong>\n<\/p>\n

\n\t# for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
\n\tdo
\n\t  certdate=$(date -d "`certutil -L -d \/etc\/pki\/pki-tomcat\/alias -n "${nickname}" | grep -i after | cut -d: -f2-`" +%s )
\n\t  echo "$nickname – $certdate"
\n\t  [[ ${newdate:-99999999999} -gt “${certdate}” ]] && newdate=$certdate
\n\tdone
\n\tdate –set="`date –date=@$[newdate – 86400]`"<\/span>\n<\/p>\n

\n\t# systemctl restart certmonger<\/span>\n<\/p>\n

\n\tWe are greeted with the following since the site certificate is valid only in the future:\n<\/p>\n

\n\t# getcert list|grep -Ei expire<\/strong>
\n\t        expires: 2020-10-03 20:05:47 UTC
\n\t        expires: 2020-10-03 20:04:58 UTC
\n\t        expires: 2022-09-12 03:13:58 UTC
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining:  Peer's Certificate has expired.).
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining:  Peer's Certificate has expired.).
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\t# openssl s_client -showcerts -connect idmipa01.nix.mds.xyz:443<\/strong>
\n\tCONNECTED(00000003)
\n\tdepth=1 O = NIX.MDS.XYZ, CN = Certificate Authority
\n\tverify return:1
\n\tdepth=0 O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz
\n\tverify error:num=9:certificate is not yet valid
\n\tnotBefore=Oct  4 23:00:59 2020 GMT
\n\tverify return:1
\n\tdepth=0 O = NIX.MDS.XYZ, CN = idmipa01.nix.mds.xyz
\n\tnotBefore=Oct  4 23:00:59 2020 GMT
\n\tverify return:1
\n\t—
\n\tCertificate chain
\n\t 0 s:\/O=NIX.MDS.XYZ\/CN=idmipa01.nix.mds.xyz
\n\t   i:\/O=NIX.MDS.XYZ\/CN=Certificate Authority<\/span>\n<\/p>\n

\n\t[ …. ]<\/span>\n<\/p>\n

\n\tWe notice that the date on the host was set to:\n<\/p>\n

\n\tFri Oct  2 20:12:43 EDT 2020<\/span>\n<\/p>\n

\n\twhich is pior to the earliest date in the certificates:\n<\/p>\n

\n\t# getcert list|grep -Ei expire<\/strong>
\n\t        expires: 2020-10-03 20:05:47 UTC
\n\t        expires: 2020-10-03 20:04:58 UTC<\/span>\n<\/p>\n

\n\tHowever, the Apache \/ HTTPD SSL Certificate is only valid after:\n<\/p>\n

\n\tnotBefore=Oct  4 23:00:59 2020 GMT<\/span>\n<\/p>\n

\n\tSo we either need to update the HTTPD certificate or move the date past Oct 4th 2020.  Let's set the date to Oct 4th: \n<\/p>\n

\n\t# for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
\n\tdo
\n\t  certdate=$(date -d "`certutil -L -d \/etc\/pki\/pki-tomcat\/alias -n "${nickname}" | grep -i after | cut -d: -f2-`" +%s )
\n\t  echo "$nickname – $certdate"
\n\t  [[ ${newdate:-99999999999} -gt “${certdate}” ]] && newdate=$certdate
\n\tdone
\n\tdate –set="`date –date=@$[newdate + 172800]`"<\/span>\n<\/p>\n

\n\tRestart certmonger and check status:\n<\/p>\n

\n\t# systemctl restart certmonger<\/span><\/strong>\n<\/p>\n

\n\tcheck status:\n<\/p>\n

\n\t# getcert list<\/span><\/strong>\n<\/p>\n

\n\tStill expired.  Did some reading:\n<\/p>\n

\n\thttps:\/\/frasertweedale.github.io\/blog-redhat\/posts\/2019-05-24-ipa-cert-fix.html<\/a>\n<\/p>\n

\n\tand decided to try:\n<\/p>\n

\n\t# ipa-cert-fix<\/span><\/strong>\n<\/p>\n

\n\t                          WARNING<\/span>\n<\/p>\n

\n\tipa-cert-fix is intended for recovery when expired certificates
\n\tprevent the normal operation of IPA.  It should ONLY be used
\n\tin such scenarios, and backup of the system, especially certificates
\n\tand keys, is STRONGLY RECOMMENDED.<\/span>\n<\/p>\n

\n\t
\n\tThe following certificates will be renewed:<\/span>\n<\/p>\n

\n\tDogtag ca_ocsp_signing certificate:
\n\t  Subject: CN=OCSP Subsystem,O=NIX.MDS.XYZ
\n\t  Serial:  17
\n\t  Expires: 2020-10-03 20:04:58<\/span>\n<\/p>\n

\n\tDogtag ca_audit_signing certificate:
\n\t  Subject: CN=CA Audit,O=NIX.MDS.XYZ
\n\t  Serial:  15
\n\t  Expires: 2020-10-03 20:05:47<\/span>\n<\/p>\n

\n\tEnter "yes" to proceed: yes
\n\tProceeding.
\n\tRenewed Dogtag ca_ocsp_signing certificate:
\n\t  Subject: CN=OCSP Subsystem,O=NIX.MDS.XYZ
\n\t  Serial:  31
\n\t  Expires: 2022-09-26 00:11:14<\/span>\n<\/p>\n

\n\tRenewed Dogtag ca_audit_signing certificate:
\n\t  Subject: CN=CA Audit,O=NIX.MDS.XYZ
\n\t  Serial:  32
\n\t  Expires: 2022-09-26 00:12:16<\/span>\n<\/p>\n

\n\tBecoming renewal master.
\n\tThe ipa-cert-fix command was successful<\/span>\n<\/p>\n

\n\t
\n\tWhich was apparently successful though failed to renew things:\n<\/p>\n

\n\t# getcert list|grep -Ei expire<\/strong>
\n\t        expires: 2020-10-03 20:05:47 UTC *
\n\t        expires: 2020-10-03 20:04:58 UTC *
\n\t        expires: 2022-09-12 03:13:58 UTC
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\tRestart certmonger which now captures correct dates:\n<\/p>\n

\n\t# systemctl restart certmonger
\n\t# getcert list|grep -Ei expire<\/strong>
\n\t        expires: 2022-09-26 00:12:16 UTC *
\n\t        expires: 2022-09-26 00:11:14 UTC *
\n\t        expires: 2022-09-12 03:13:58 UTC
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\tRestart IPA services ignoring failures in the process, while still maintaining the reset date of Oct 5th 2020 (Today is Sep 25 2022)\n<\/p>\n

\n\t# ipactl restart –ignore-service-failure<\/strong>
\n\tRestarting Directory Service
\n\tRestarting krb5kdc Service
\n\tRestarting kadmin Service
\n\tRestarting named Service
\n\tRestarting httpd Service
\n\tRestarting ipa-custodia Service
\n\tRestarting ntpd Service
\n\tRestarting pki-tomcatd Service
\n\tRestarting smb Service
\n\tRestarting winbind Service
\n\tRestarting ipa-otpd Service
\n\tRestarting ipa-dnskeysyncd Service
\n\tipa: INFO: The ipactl command was successful<\/span>\n<\/p>\n

\n\tThis is the part where I realize the system was using the hwclcok date not the 'date' date (facepalm):\n<\/p>\n

\n\t# date<\/strong>
\n\tMon Oct  5 20:18:46 EDT 2020
\n\t# hwclock<\/strong>
\n\tSun 25 Sep 2022 09:35:45 PM EDT  -0.321095 seconds<\/span>\n<\/p>\n

\n\tHence why cert dates came back with 2022.  Whatever, let's set the date back.  It may work but let's check the UI certs.  Copy the openssl output certificate portions from above into a file and run the following:\n<\/p>\n

\n\t# cat site-cert.pem<\/strong>
\n\t—–BEGIN CERTIFICATE—–
\n\tMIIEmzCCA4OgAwI…………………………………………………HIFvjW5pjp58mflhQ==
\n\t—–END CERTIFICATE—–
\n\t 1 s:\/O=NIX.MDS.XYZ\/CN=Certificate Authority
\n\t   i:\/O=NIX.MDS.XYZ\/CN=Certificate Authority
\n\t—–BEGIN CERTIFICATE—–
\n\tMIIDkDCC……………………………………………………………..w0T37yu7pbxM
\n\tLGclqw==
\n\t—–END CERTIFICATE—–<\/span>\n<\/p>\n

\n\tCheck the site cert extracted from the above command:\n<\/p>\n

\n\t# openssl x509 -enddate -startdate -noout -in site-cert.pem<\/strong>
\n\tnotAfter=Oct  5 23:00:59 2022 GMT
\n\tnotBefore=Oct  4 23:00:59 2020 GMT<\/span>\n<\/p>\n

\n\tCert appears good until 2022 Oct 5th which we are not yet in.  Let's set the date forwards a tad:\n<\/p>\n

\n\t# hwclock –set –date "Fri Sep 25 21:49:00 EDT 2022"; date -s "Fri Sep 25 21:49:00 EDT 2022"<\/strong>
\n\t# systemctl restart ntpd<\/strong>
\n\t# ntpdate -s 192.168.0.12<\/strong>                                                                            # My NTP host.<\/span>\n<\/p>\n

\n\tNow try a status and a restart as well:\n<\/p>\n

\n\t# ipactl status<\/strong>
\n\tDirectory Service: RUNNING
\n\tkrb5kdc Service: RUNNING
\n\tkadmin Service: RUNNING
\n\tnamed Service: RUNNING
\n\thttpd Service: RUNNING
\n\tipa-custodia Service: RUNNING
\n\tntpd Service: RUNNING
\n\tpki-tomcatd Service: RUNNING
\n\tsmb Service: RUNNING
\n\twinbind Service: RUNNING
\n\tipa-otpd Service: RUNNING
\n\tipa-dnskeysyncd Service: RUNNING
\n\tipa: INFO: The ipactl command was successful<\/span>\n<\/p>\n

\n\tBut checking the certs again, seeing two more that are older then Sep 25 2022:\n<\/p>\n

\n\t# getcert list|grep -Ei expire<\/strong>
\n\t        expires: 2022-09-26 00:12:16 UTC
\n\t        expires: 2022-09-26 00:11:14 UTC 
\n\t        expires: 2022-09-12 03:13:58 UTC *
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        expires: 2022-09-12 03:13:48 UTC *
\n\t        expires: 2022-09-12 03:13:47 UTC *
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\tNeed to move the dates back again to a day prior and renew again:\n<\/p>\n

\n\t# for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
\n\tdo
\n\t  certdate=$(date -d "`certutil -L -d \/etc\/pki\/pki-tomcat\/alias -n "${nickname}" | grep -i after | cut -d: -f2-`" +%s )
\n\t  echo "$nickname – $certdate"
\n\t  [[ ${newdate:-99999999999} -gt “${certdate}” ]] && newdate=$certdate
\n\tdone
\n\tdate –set="`date –date=@$[newdate + 86400]`"<\/span>\n<\/p>\n

\n\tWell that above command failed:\n<\/p>\n

\n\tSun Oct  4 20:04:58 EDT 2020<\/span>\n<\/p>\n

\n\tThere is no certs with that date:\n<\/p>\n

\n\t# getcert list|grep -Ei expire
\n\t        expires: 2022-09-26 00:12:16 UTC
\n\t        expires: 2022-09-26 00:11:14 UTC
\n\t        expires: 2022-09-12 03:13:58 UTC
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\tSo let's try a modified copy:\n<\/p>\n

\n\t# for nickname in "auditSigningCert cert-pki-ca" "ocspSigningCert cert-pki-ca" "subsystemCert cert-pki-ca" "Server-Cert cert-pki-ca"
\n\tdo
\n\t  certdate=$(certutil -L -d \/etc\/pki\/pki-tomcat\/alias -n "${nickname}" | grep -i after)
\n\t  echo $certdate;
\n\tdone<\/span>\n<\/p>\n

\n\tSomehow this script is basing this off of the current date?  I won't reverse engineer it and set the date manually instead:\n<\/p>\n

\n\t# hwclock –set –date "Fri Sep 12 01:00:00 EDT 2022"; date -s "Fri Sep 12 01:00:00 EDT 2022"<\/strong><\/span>\n<\/p>\n

\n\tYou should see certificates in submitting status now:\n<\/p>\n

\n\t# getcert list<\/strong>
\n\tNumber of certificates and requests being tracked: 9.
\n\tRequest ID '20180122053031':
\n\t        status: SUBMITTING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='auditSigningCert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=CA Audit,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-26 00:12:16 UTC
\n\t        key usage: digitalSignature,nonRepudiation
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "auditSigningCert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053032':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='ocspSigningCert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=OCSP Subsystem,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-26 00:11:14 UTC
\n\t        eku: id-kp-OCSPSigning
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "ocspSigningCert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053033':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='subsystemCert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=CA Subsystem,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-12 03:13:58 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "subsystemCert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053034':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='caSigningCert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyCertSign,cRLSign
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "caSigningCert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053035':
\n\t        status: SUBMITTING
\n\t        stuck: no
\n\t        key pair storage: type=FILE,location='\/var\/lib\/ipa\/ra-agent.key'
\n\t        certificate: type=FILE,location='\/var\/lib\/ipa\/ra-agent.pem'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=IPA RA,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ra_cert_pre
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ra_cert
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053036':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "Server-Cert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053037':
\n\t        status: SUBMITTING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        principal name: ldap\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_dirsrv NIX-MDS-XYZ
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053042':
\n\t        status: SUBMITTING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/httpd\/alias\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        principal name: HTTP\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_httpd
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053135':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=FILE,location='\/var\/kerberos\/krb5kdc\/kdc.key'
\n\t        certificate: type=FILE,location='\/var\/kerberos\/krb5kdc\/kdc.crt'
\n\t        CA: SelfSign
\n\t        issuer: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2023-09-26 00:54:45 UTC
\n\t        principal name: krbtgt\/NIX.MDS.XYZ@NIX.MDS.XYZ
\n\t        certificate template\/profile: KDCs_PKINIT_Certs
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_kdc_cert
\n\t        track: yes
\n\t        auto-renew: yes<\/span>\n<\/p>\n

\n\tWait a bit and check again if they were successfully processed.  Or not:\n<\/p>\n

\n\tca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https:\/\/idmipa01.nix.mds.xyz:443\/ca\/rest\/account\/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)).<\/span>\n<\/p>\n

\n\tLet's try the following command again:\n<\/p>\n

\n\t# ipa-cert-fix -v<\/span>\n<\/p>\n

\n\tBut we get this instead:\n<\/p>\n

\n\tINFO: Restoring previous LDAP configuration
\n\tERROR: Unable to find CSR for sslserver cert<\/span>\n<\/p>\n

\n\tipapython.admintool: DEBUG:   File "\/usr\/lib\/python2.7\/site-packages\/ipapython\/admintool.py", line 178, in execute
\n\t    return_value = self.run()
\n\t  File "\/usr\/lib\/python2.7\/site-packages\/ipaserver\/install\/ipa_cert_fix.py", line 128, in run
\n\t    replicate_dogtag_certs(subject_base, ca_subject_dn, certs)
\n\t  File "\/usr\/lib\/python2.7\/site-packages\/ipaserver\/install\/ipa_cert_fix.py", line 251, in replicate_dogtag_certs
\n\t    cert = x509.load_certificate_from_file(cert_path)
\n\t  File "\/usr\/lib\/python2.7\/site-packages\/ipalib\/x509.py", line 425, in load_certificate_from_file
\n\t    with open(filename, mode='rb') as f:<\/span>\n<\/p>\n

\n\tipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: IOError: [Errno 2] No such file or directory: '\/etc\/pki\/pki-tomcat\/certs\/sslserver.crt'
\n\tipapython.admintool: ERROR: [Errno 2] No such file or directory: '\/etc\/pki\/pki-tomcat\/certs\/sslserver.crt'
\n\tipapython.admintool: ERROR: The ipa-cert-fix command failed.<\/span>\n<\/p>\n

\n\t
\n\tAnd we fix with this article:\n<\/p>\n

\n\thttps:\/\/access.redhat.com\/solutions\/4852721<\/span><\/a>\n<\/p>\n

\n\tFollowing the document steps, convert the cert accordingly:\n<\/p>\n

\n\t# grep -A 19 csr \/var\/lib\/certmonger\/requests\/20180122053033<\/strong>
\n\tcsr=—–BEGIN NEW CERTIFICATE REQUEST—–
\n\t MIIDJTCCAg………………………………………………X1cWBn+CU=
\n\t —–END NEW CERTIFICATE REQUEST—–
\n\tspkac=MIICQDCCASgwgg…………….p78JfKV2\/VHxXJTULg==
\n\t# vi 1.txt<\/strong><\/span>\n<\/p>\n

\n\t# cat 1.txt<\/strong>
\n\tca.subsystem.certreq=MIIDJTCCAg0CAQA…………….45oAX1cWBn+CU=<\/span>\n<\/p>\n

\n\tMake backups of anything you modify, whether or not you have snapshots. (Snapshots will cause you to restart from the beginning of this article \ud83d\ude1b )\n<\/p>\n

\n\t# cp -ip \/etc\/pki\/pki-tomcat\/ca\/CS.cfg \/etc\/pki\/pki-tomcat\/ca\/CS.cfg-backup01<\/span>\n<\/p>\n

\n\tConfirm if the line exists:\n<\/p>\n

\n\t# grep -Ei ca.subsystem.certreq \/etc\/pki\/pki-tomcat\/ca\/CS.cfg
\n\t# <\/span>\n<\/p>\n

\n\tIt should not otherwise you wouldn't get the above error:\n<\/p>\n

\n\tAdd the ca.subsystem.certreq= below the ca.subsystem.cert= line in \/etc\/pki\/pki-tomcat\/ca\/CS.cfg:\n<\/p>\n

\n\t# grep -Ei ca.subsystem.certreq \/etc\/pki\/pki-tomcat\/ca\/CS.cfg
\n\tca.subsystem.certreq=MIIDJTCCAg0CAQ………………………..X1cWBn+CU=<\/span>\n<\/p>\n

\n\tLet's try the command again:\n<\/p>\n

\n\t# ipa-cert-fix<\/span>\n<\/p>\n

\n\tBut no luck:\n<\/p>\n

\n\t# ipa-cert-fix
\n\t[ ….. ]
\n\tEnter "yes" to proceed: yes
\n\tProceeding.
\n\t[Errno 2] No such file or directory: '\/etc\/pki\/pki-tomcat\/certs\/sslserver.crt'
\n\tThe ipa-cert-fix command failed.<\/span>\n<\/p>\n

\n\tLet's move the dates back again, manually:\n<\/p>\n

\n\t# hwclock –set –date "Fri Sep 12 01:00:00 EDT 2022"; date -s "Fri Sep 12 01:00:00 EDT 2022"<\/span>\n<\/p>\n

\n\t# ipa-cert-fix
\n\t[ ….. ]
\n\tEnter "yes" to proceed: yes
\n\tProceeding.
\n\tCommand 'pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver –cert subsystem –cert ca_ocsp_signing –cert ca_audit_signing –extra-cert 25' returned non-zero exit status 1
\n\tThe ipa-cert-fix command failed.<\/span>\n<\/p>\n

\n\tdid not work.  So moving slightly ahead:\n<\/p>\n

\n\t# hwclock –set –date "Fri Sep 13 01:00:00 EDT 2022"; date -s "Fri Sep 13 01:00:00 EDT 2022"<\/span>\n<\/p>\n

\n\tresults in absolutely nothing.  So trying with a different date:\n<\/p>\n

\n\t# hwclock –set –date "Fri Sep 11 04:00:00 EDT 2022"; date -s "Fri Sep 11 04:00:00 EDT 2022"
\n\tSun Sep 11 04:00:00 EDT 2022<\/span>\n<\/p>\n

\n\tResulted in a successfully started host:\n<\/p>\n

\n\t# ipactl restart –ignore-service-failure<\/strong>
\n\tRestarting Directory Service
\n\tRestarting krb5kdc Service
\n\tRestarting kadmin Service
\n\tRestarting named Service
\n\tRestarting httpd Service
\n\tRestarting ipa-custodia Service
\n\tRestarting ntpd Service
\n\tRestarting pki-tomcatd Service
\n\tRestarting smb Service
\n\tRestarting winbind Service
\n\tRestarting ipa-otpd Service
\n\tRestarting ipa-dnskeysyncd Service
\n\tipa: INFO: The ipactl command was successful<\/span>\n<\/p>\n

\n\tHmm, ok we're on to something here.  Now that the services started fully, let's use the following:\n<\/p>\n

\n\t# ipa-cert-fix<\/span>\n<\/p>\n

\n\t                          WARNING<\/span>\n<\/p>\n

\n\tipa-cert-fix is intended for recovery when expired certificates
\n\tprevent the normal operation of IPA.  It should ONLY be used
\n\tin such scenarios, and backup of the system, especially certificates
\n\tand keys, is STRONGLY RECOMMENDED.<\/span>\n<\/p>\n

\n\t
\n\tThe following certificates will be renewed:<\/span>\n<\/p>\n

\n\tDogtag sslserver certificate:
\n\t  Subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t  Serial:  22
\n\t  Expires: 2022-09-12 03:13:47<\/span>\n<\/p>\n

\n\tDogtag subsystem certificate:
\n\t  Subject: CN=CA Subsystem,O=NIX.MDS.XYZ
\n\t  Serial:  26
\n\t  Expires: 2022-09-12 03:13:58<\/span>\n<\/p>\n

\n\tIPA IPA RA certificate:
\n\t  Subject: CN=IPA RA,O=NIX.MDS.XYZ
\n\t  Serial:  25
\n\t  Expires: 2022-09-12 03:13:48<\/span>\n<\/p>\n

\n\tEnter "yes" to proceed: yes
\n\tProceeding.
\n\tCommand 'pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver –cert subsystem –extra-cert 25' returned non-zero exit status 1
\n\tThe ipa-cert-fix command failed.<\/span>\n<\/p>\n

\n\t# pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver –cert subsystem –extra-cert 25
\n\tINFO: Loading password config: \/etc\/pki\/pki-tomcat\/password.conf
\n\tINFO: Fixing the following system certs: [‘sslserver’, ‘subsystem’]
\n\tINFO: Renewing the following additional certs: [’25’]
\n\tSASL\/EXTERNAL authentication started
\n\tSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\n\tSASL SSF: 0
\n\tINFO: Stopping the instance to proceed with system cert renewal
\n\tINFO: Configuring LDAP password authentication
\n\tINFO: Setting pkidbuser password via ldappasswd
\n\tSASL\/EXTERNAL authentication started
\n\tSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\n\tSASL SSF: 0
\n\tINFO: Selftests disabled for subsystems: ca
\n\tINFO: Resetting password for uid=ipara,ou=people,o=ipaca
\n\tSASL\/EXTERNAL authentication started
\n\tSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\n\tSASL SSF: 0
\n\tINFO: Creating a temporary sslserver cert
\n\tINFO: Getting sslserver cert info for ca
\n\tINFO: Trying to create a new temp cert for sslserver.
\n\tINFO: Generate temp SSL certificate
\n\tINFO: Getting sslserver cert info for ca
\n\tINFO: Selftests enabled for subsystems: ca
\n\tINFO: Restoring previous LDAP configuration
\n\tERROR: Unable to find CSR for sslserver cert<\/span><\/strong><\/span>\n<\/p>\n

\n\tLooks like it expects more CSR's.  In this case:\n<\/p>\n

\n\tRequest ID '20180122053036':
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
\n\t        expires: 2022-09-12 03:13:47 UTC<\/span>\n<\/p>\n

\n\tDoesn't have a CSR, so we add one`:\n<\/p>\n

\n\t# cat \/var\/lib\/certmonger\/requests\/20180122053036<\/strong>
\n\tcsr=—–BEGIN NEW CERTIFICATE REQUEST—–
\n\t MIIDIzCCAgsCA……………………………………xQ\/FFfh<\/span>\n<\/p>\n

\n\tThen convert it to the following one liner in the scrxipt with nickname ca.sslserver.certreq in this case:\n<\/p>\n

\n\tca.sslserver.certreq=MIIDIzCCAgsCA…………………………………………………………5XsHg07A8<\/span>\n<\/p>\n

\n\tBut, alas, I had a copy in another cert:\n<\/p>\n

\n\tcsr=—–BEGIN NEW CERTIFICATE REQUEST—–
\n\t MIIDIzCC……………………………………………..kxQ\/FFfh
\n\t —–END NEW CERTIFICATE REQUEST—–<\/span>\n<\/p>\n

\n\t# grep certreq \/etc\/pki\/pki-tomcat\/ca\/CS.cfg<\/strong>
\n\tca.sslserver.certreq=MIIDIzCCAgsCA……………………………………………………………………..V5XsHg07A8<\/span>\n<\/p>\n

\n\tNOTE the missing FFfh characters in the CSR vs what I typed in the CS.cfg.  Hence got this:\n<\/p>\n

\n\t# ipa-cert-fix -v<\/strong>
\n\t[ …………… ]
\n\tSASL SSF: 0
\n\tINFO: Creating a temporary sslserver cert
\n\tINFO: Getting sslserver cert info for ca
\n\tINFO: Trying to create a new temp cert for sslserver.
\n\tINFO: Generate temp SSL certificate
\n\tINFO: Getting sslserver cert info for ca
\n\tINFO: CSR for sslserver has been written to \/tmp\/tmpYQSMJk\/sslserver.csr
\n\tINFO: Getting signing cert info for ca
\n\tINFO: CA cert written to \/tmp\/tmpYQSMJk\/ca_certificate.crt
\n\tINFO: AKI: 0x1F737CF691BC6D8F93ACA3599FB6DBAB35AED71D
\n\tINFO: Selftests enabled for subsystems: ca
\n\tINFO: Restoring previous LDAP configuration
\n\tERROR: Failed to generate CA-signed temp SSL certificate. RC: 255<\/span>\n<\/p>\n

\n\tipapython.admintool: DEBUG:   File "\/usr\/lib\/python2.7\/site-packages\/ipapython\/admintool.py", line 178, in execute
\n\t    return_value = self.run()
\n\t  File "\/usr\/lib\/python2.7\/site-packages\/ipaserver\/install\/ipa_cert_fix.py", line 117, in run
\n\t    run_cert_fix(certs, extra_certs)
\n\t  File "\/usr\/lib\/python2.7\/site-packages\/ipaserver\/install\/ipa_cert_fix.py", line 245, in run_cert_fix
\n\t    ipautil.run(cmd, raiseonerr=True)
\n\t  File "\/usr\/lib\/python2.7\/site-packages\/ipapython\/ipautil.py", line 563, in run
\n\t    raise CalledProcessError(p.returncode, arg_string, str(output))<\/span>\n<\/p>\n

\n\tipapython.admintool: DEBUG: The ipa-cert-fix command failed, exception: CalledProcessError: Command 'pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver –cert subsystem –extra-cert 25' returned non-zero exit status 1
\n\tipapython.admintool: ERROR: Command 'pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver –cert subsystem –extra-cert 25' returned non-zero exit status 1
\n\tipapython.admintool: ERROR: The ipa-cert-fix command failed.<\/span><\/strong><\/span>\n<\/p>\n

\n\tEditing and ensuring it's correct this time, using a one liner to properly set it up:\n<\/p>\n

\n\t# grep -A 19 csr \/var\/lib\/certmonger\/requests\/20180122053036|grep -v spkac|grep -v "-"|tr '\\n' ' '|sed -e "s\/ \/\/g"<\/strong>
\n\tMIIDIzCCAgs…………………………………………………………….zHkxQ\/FFfh<\/span>\n<\/p>\n

\n\tseams to have allowed IPA to restart properly:\n<\/p>\n

\n\t# ipa-cert-fix -v
\n\t[ ………………….. ]
\n\tINFO: Starting the instance with renewed certs<\/span>\n<\/p>\n

\n\tRenewed Dogtag sslserver certificate:
\n\t  Subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t  Serial:  34
\n\t  Expires: 2024-08-31 09:03:43<\/span>\n<\/p>\n

\n\tRenewed Dogtag subsystem certificate:
\n\t  Subject: CN=CA Subsystem,O=NIX.MDS.XYZ
\n\t  Serial:  35
\n\t  Expires: 2024-08-31 09:03:43<\/span>\n<\/p>\n

\n\tRenewed IPA IPA RA certificate:
\n\t  Subject: CN=IPA RA,O=NIX.MDS.XYZ
\n\t  Serial:  36
\n\t  Expires: 2024-08-31 09:03:44<\/span>\n<\/p>\n

\n\tipalib.backend: DEBUG: Created connection context.ldap2_139668384537744
\n\tipalib.backend: DEBUG: Destroyed connection context.ldap2_139668384537744
\n\tBecoming renewal master.
\n\tipalib.install.sysrestore: DEBUG: Loading StateFile from '\/var\/lib\/ipa\/sysrestore\/sysrestore.state'
\n\tipalib.install.sysrestore: DEBUG: Loading Index file from '\/var\/lib\/ipa\/sysrestore\/sysrestore.index'
\n\tipapython.ipautil: DEBUG: Starting external process
\n\tipapython.ipautil: DEBUG: args=ipactl restart
\n\tipapython.ipautil: DEBUG: Process finished, return code=0
\n\tipapython.ipautil: DEBUG: stdout=Restarting Directory Service
\n\tRestarting krb5kdc Service
\n\tRestarting kadmin Service
\n\tRestarting named Service
\n\tRestarting httpd Service
\n\tRestarting ipa-custodia Service
\n\tRestarting ntpd Service
\n\tRestarting pki-tomcatd Service
\n\tRestarting smb Service
\n\tRestarting winbind Service
\n\tRestarting ipa-otpd Service
\n\tRestarting ipa-dnskeysyncd Service<\/span>\n<\/p>\n

\n\tipapython.ipautil: DEBUG: stderr=ipa: INFO: The ipactl command was successful<\/span>\n<\/p>\n

\n\tipapython.admintool: INFO: The ipa-cert-fix command was successful<\/span>\n<\/p>\n

\n\tyet no change to the certs above.  Trying the renew option now:\n<\/p>\n

\n\t# ipa-cacert-manage renew<\/span>\n<\/p>\n

\n\tFollowing this page:\n<\/p>\n

\n\thttps:\/\/floblanc.wordpress.com\/2016\/12\/19\/troubleshooting-certmonger-issues-with-freeipa\/<\/a>\n<\/p>\n

\n\tran the following:\n<\/p>\n

\n\t# getcert modify-ca -c dogtag-ipa-ca-renew-agent -e '\/usr\/libexec\/certmonger\/dogtag-ipa-ca-renew-agent-submit -vv'<\/span><\/strong>\n<\/p>\n

\n\tjava.lang.Exception: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: ocspSigningCert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: ocspSigningCert cert-pki-ca<\/span>\n<\/p>\n

\n\t[11\/Sep\/2022:23:10:10][localhost-startStop-1]: SignedAuditLogger: event SELFTESTS_EXECUTION
\n\t[11\/Sep\/2022:23:10:10][localhost-startStop-1]: SelfTestSubsystem: Shutting down server due to selftest failure: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: ocspSigningCert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: ocspSigningCert cert-pki-ca
\n\tjava.lang.Exception: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: ocspSigningCert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: ocspSigningCert cert-pki-ca<\/span>\n<\/p>\n

\n\tThe below errors could have been when IPA services were stopped while the ipactl restart command was executed:\n<\/p>\n

\n\tRequest ID '20180122053035':
\n\t        status: CA_UNREACHABLE
\n\t        ca-error: Error 7 connecting to http:\/\/idmipa01.nix.mds.xyz:8080\/ca\/ee\/ca\/profileSubmit: Couldn't connect to server.<\/span>
\n\t        stuck: no
\n\t        key pair storage: type=FILE,location='\/var\/lib\/ipa\/ra-agent.key'
\n\t        certificate: type=FILE,location='\/var\/lib\/ipa\/ra-agent.pem'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=IPA RA,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-12 03:13:48 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ra_cert_pre
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ra_cert
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053036':
\n\t        status: CA_UNREACHABLE
\n\t        ca-error: Error 7 connecting to http:\/\/idmipa01.nix.mds.xyz:8080\/ca\/ee\/ca\/profileSubmit: Couldn't connect to server.<\/span>
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-09-12 03:13:47 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "Server-Cert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes<\/span>\n<\/p>\n

\n\tTried resubmitting manually, perhaps the service was offline when it attempted upon ipactl restart execution:\n<\/p>\n

\n\t# getcert resubmit -i 20180122053036<\/strong>
\n\tResubmitting "20180122053036" to "dogtag-ipa-ca-renew-agent".<\/span>\n<\/p>\n

\n\t# getcert resubmit -i 20180122053035<\/strong>
\n\tResubmitting "20180122053035" to "dogtag-ipa-ca-renew-agent".<\/span>\n<\/p>\n

\n\tAnd this time those two certs are ok:\n<\/p>\n

\n\tRequest ID '20180122053035':
\n\t        status: MONITORING<\/span><\/strong>
\n\t        stuck: no
\n\t        key pair storage: type=FILE,location='\/var\/lib\/ipa\/ra-agent.key'
\n\t        certificate: type=FILE,location='\/var\/lib\/ipa\/ra-agent.pem'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=IPA RA,O=NIX.MDS.XYZ
\n\t        expires: 2024-08-31 09:03:44 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ra_cert_pre
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ra_cert
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053036':
\n\t        status: MONITORING<\/span><\/strong>
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB',pin set
\n\t        certificate: type=NSSDB,location='\/etc\/pki\/pki-tomcat\/alias',nickname='Server-Cert cert-pki-ca',token='NSS Certificate DB'
\n\t        CA: dogtag-ipa-ca-renew-agent
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2024-08-31 09:03:43 UTC
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command: \/usr\/libexec\/ipa\/certmonger\/stop_pkicad
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_ca_cert "Server-Cert cert-pki-ca"
\n\t        track: yes
\n\t        auto-renew: yes<\/span>\n<\/p>\n

\n\tThis moves us forward to the last two:\n<\/p>\n

\n\tRequest ID '20180122053037':
\n\t        status: CA_UNREACHABLE<\/strong><\/span>
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https:\/\/idmipa01.nix.mds.xyz:443\/ca\/rest\/account\/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)).<\/span>
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        principal name: ldap\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_dirsrv NIX-MDS-XYZ
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053042':
\n\t        status: CA_UNREACHABLE<\/span><\/strong>
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 907 (RPC failed at server.  cannot connect to 'https:\/\/idmipa01.nix.mds.xyz:443\/ca\/rest\/account\/login': [SSL: SSL_HANDSHAKE_FAILURE] ssl handshake failure (_ssl.c:1826)).<\/span>
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/httpd\/alias\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        principal name: HTTP\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_httpd
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053135':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=FILE,location='\/var\/kerberos\/krb5kdc\/kdc.key'
\n\t        certificate: type=FILE,location='\/var\/kerberos\/krb5kdc\/kdc.crt'
\n\t        CA: SelfSign
\n\t        issuer: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2023-09-26 00:54:45 UTC
\n\t        principal name: krbtgt\/NIX.MDS.XYZ@NIX.MDS.XYZ
\n\t        certificate template\/profile: KDCs_PKINIT_Certs
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/renew_kdc_cert
\n\t        track: yes
\n\t        auto-renew: yes<\/span>\n<\/p>\n

\n\tLet's repeat the resubmission for these 2 as well.  This time the error changed:\n<\/p>\n

\n\tRequest ID '20180122053037':
\n\t        status: CA_UNREACHABLE<\/strong>
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 4016 (RPC failed at server.  Failed to authenticate to CA REST API).<\/span>
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-10-05 23:00:29 UTC
\n\t        principal name: ldap\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_dirsrv NIX-MDS-XYZ
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053042':
\n\t        status: CA_UNREACHABLE<\/strong>
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 4016 (RPC failed at server.  Failed to authenticate to CA REST API).<\/span>
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/httpd\/alias\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2022-10-05 23:00:59 UTC
\n\t        principal name: HTTP\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_httpd
\n\t        track: yes
\n\t        auto-renew: yes<\/span>\n<\/p>\n

\n\tReading, this could help:\n<\/p>\n

\n\thttps:\/\/floblanc.wordpress.com\/2016\/12\/19\/troubleshooting-certmonger-issues-with-freeipa\/<\/span>\n<\/p>\n

\n\t# ipa-certupdate<\/strong>
\n\ttrying https:\/\/idmipa01.nix.mds.xyz\/ipa\/session\/json
\n\t[try 1]: Forwarding 'ca_is_enabled\/1' to json server 'https:\/\/idmipa01.nix.mds.xyz\/ipa\/session\/json'
\n\t[try 1]: Forwarding 'ca_find\/1' to json server 'https:\/\/idmipa01.nix.mds.xyz\/ipa\/session\/json'
\n\tSystemwide CA database updated.
\n\tSystemwide CA database updated.
\n\tThe ipa-certupdate command was successful<\/span>\n<\/p>\n

\n\tIt appears to have done something.  Let's check what that is:\n<\/p>\n

\n\tRequest ID '20180122053037':
\n\t        status: CA_UNREACHABLE
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 4016 (RPC failed at server.  Failed to authenticate to CA REST API).<\/span>\n<\/p>\n

\n\tRequest ID '20180122053042':
\n\t        status: CA_UNREACHABLE
\n\t        ca-error: Server at https:\/\/idmipa01.nix.mds.xyz\/ipa\/xml failed request, will retry: 4016 (RPC failed at server.  Failed to authenticate to CA REST API).<\/span>\n<\/p>\n

\n\tnot much.  Hmm.  Running a manual resubmit appears to have done something:\n<\/p>\n

\n\t# getcert resubmit -i 20180122053042<\/strong>
\n\tResubmitting "20180122053042" to "IPA".<\/span>\n<\/p>\n

\n\t# getcert resubmit -i 20180122053037<\/strong>
\n\tResubmitting "20180122053037" to "IPA".<\/span>\n<\/p>\n

\n\tNew dates are posted for the certs, which looks promising:\n<\/p>\n

\n\tRequest ID '20180122053037':
\n\t        status: POST_SAVED_CERT
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/dirsrv\/slapd-NIX-MDS-XYZ',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2024-09-26 05:16:52 UTC
\n\t        principal name: ldap\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_dirsrv NIX-MDS-XYZ
\n\t        track: yes
\n\t        auto-renew: yes
\n\tRequest ID '20180122053042':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        key pair storage: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='\/etc\/httpd\/alias\/pwdfile.txt'
\n\t        certificate: type=NSSDB,location='\/etc\/httpd\/alias',nickname='Server-Cert',token='NSS Certificate DB'
\n\t        CA: IPA
\n\t        issuer: CN=Certificate Authority,O=NIX.MDS.XYZ
\n\t        subject: CN=idmipa01.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t        expires: 2024-09-26 05:16:38 UTC
\n\t        principal name: HTTP\/idmipa01.nix.mds.xyz@NIX.MDS.XYZ
\n\t        key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
\n\t        eku: id-kp-serverAuth,id-kp-clientAuth
\n\t        pre-save command:
\n\t        post-save command: \/usr\/libexec\/ipa\/certmonger\/restart_httpd
\n\t        track: yes
\n\t        auto-renew: yes<\/span>\n<\/p>\n

\n\tLet's check the final result but before that, let's check the date.  It seems odd that it picked 09-26 above but I don't care as long as it works properly:\n<\/p>\n

\n\t# date<\/strong>
\n\tMon Sep 26 01:18:19 EDT 2022<\/span>\n<\/p>\n

\n\tSeems ipactl restart or start did the date change hence the date of 09-26.  Let's check the certs now:\n<\/p>\n

\n\t# getcert list|grep -Ei "Request ID|status:|stuck:|expires"<\/strong>
\n\tRequest ID '20180122053031':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:15:58 UTC
\n\tRequest ID '20180122053032':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:09:34 UTC
\n\tRequest ID '20180122053033':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:14:47 UTC
\n\tRequest ID '20180122053034':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2042-09-11 09:07:22 UTC
\n\tRequest ID '20180122053035':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-08-31 09:03:44 UTC
\n\tRequest ID '20180122053036':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-08-31 09:03:43 UTC
\n\tRequest ID '20180122053037':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-26 05:16:52 UTC
\n\tRequest ID '20180122053042':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-26 05:16:38 UTC
\n\tRequest ID '20180122053135':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2023-09-26 00:54:45 UTC<\/span>\n<\/p>\n

\n\tAnd we are done.  Seems our certs are all renewed now and our IDMIPA host is back to a working state.  At least idmipa01<\/strong> is!  Let's fix the replica:\n<\/p>\n

\n\t[idmipa01] # ipa-replica-manage list -v<\/strong>
\n\tidmipa01.nix.mds.xyz: master
\n\tidmipa02.nix.mds.xyz: master<\/span>\n<\/p>\n

\n\t[idmipa02 ] # ipa-replica-manage list -v
\n\tidmipa02.nix.mds.xyz<\/strong>
\n\tidmipa01.nix.mds.xyz: replica
\n\t  last update status: Error (18) Replication error acquiring replica: Incremental update transient warning.  Backing off, will retry update later. (transient warning)
\n\t  last update ended: 1970-01-01 00:00:00+00:00<\/span>\n<\/p>\n

\n\tusing this command:\n<\/p>\n

\n\t# ipa-replica-manage re-initialize –from idmipa01.nix.mds.xyz<\/span><\/strong>\n<\/p>\n

\n\tBut alas, no, it's master\/master setup:\n<\/p>\n

\n\t# ipa-replica-manage re-initialize –from idmipa02.nix.mds.xyz<\/strong>
\n\t'idmipa02.nix.mds.xyz' has no replication agreement for 'idmipa02.nix.mds.xyz'<\/span>\n<\/p>\n

\n\t[idmipa01]<\/strong>
\n\t# sha256sum \/var\/lib\/ipa\/replica-info-idmipa02.nix.mds.xyz.gpg
\n\t14553b94d6fad6350ce1cf2896c757657d638c8a08b250d13eac6bbacf5d3383  \/var\/lib\/ipa\/replica-info-idmipa02.nix.mds.xyz.gpg<\/span>\n<\/p>\n

\n\t[ idmipa02 ]<\/strong>
\n\tsha256sum \/var\/lib\/ipa\/replica-info-idmipa02.nix.mds.xyz.gpg
\n\t14553b94d6fad6350ce1cf2896c757657d638c8a08b250d13eac6bbacf5d3383  \/var\/lib\/ipa\/replica-info-idmipa02.nix.mds.xyz.gpg<\/span>\n<\/p>\n

\n\tReissue the following:\n<\/p>\n

\n\t# ipa-replica-install –setup-ca –setup-dns –forwarder=192.168.0.224 \/var\/lib\/ipa\/replica-info-idmipa02.nix.mds.xyz.gpg<\/strong>
\n\tYour system may be partly configured.
\n\tRun \/usr\/sbin\/ipa-server-install –uninstall to clean up.<\/span>\n<\/p>\n

\n\tipapython.admintool: ERROR    IPA server is already configured on this system.
\n\tIf you want to reinstall the IPA server, please uninstall it first using 'ipa-server-install –uninstall'.
\n\tipapython.admintool: ERROR    The ipa-replica-install command failed. See \/var\/log\/ipareplica-install.log for more information<\/span>\n<\/p>\n

\n\tHowever, it complained. Let's try to find another way.  So rebooted instead to see if that will work.  Nothing happened, apparently, though I did not fully check.  However, running the following worked well:\n<\/p>\n

\n\t[ idmipa02 ]<\/span>\n<\/p>\n

\n\t# ipa-replica-manage re-initialize –from idmipa01.nix.mds.xyz<\/strong>
\n\tDirectory Manager password:<\/span><\/span>\n<\/p>\n

\n\tUpdate in progress, 4 seconds elapsed
\n\tUpdate succeeded<\/span><\/span>\n<\/p>\n

\n\t# getcert list|grep -Ei "Request ID|status:|stuck:|expires"<\/strong>
\n\tRequest ID '20180122053638':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:15:58 UTC
\n\tRequest ID '20180122053639':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:09:34 UTC
\n\tRequest ID '20180122053640':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:14:47 UTC
\n\tRequest ID '20180122053641':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2036-11-21 07:32:02 UTC
\n\tRequest ID '20180122053642':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-08-31 09:03:44 UTC
\n\tRequest ID '20180122053643':
\n\t        status: NEED_TO_SUBMIT
\n\t        stuck: no
\n\t        expires: 2022-08-27 17:23:10 UTC
\n\tRequest ID '20180122053644':
\n\t        status: CA_UNREACHABLE
\n\t        stuck: no
\n\t        expires: 2022-09-29 17:22:58 UTC
\n\tRequest ID '20180122053649':
\n\t        status: CA_UNREACHABLE
\n\t        stuck: no
\n\t        expires: 2022-09-29 17:22:45 UTC
\n\tRequest ID '20180122053742':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2023-09-26 00:54:54 UTC<\/span>\n<\/p>\n

\n\tAnd a full restart went perfectly well:\n<\/p>\n

\n\t# ipactl restart<\/strong>
\n\tRestarting Directory Service
\n\tRestarting krb5kdc Service
\n\tRestarting kadmin Service
\n\tRestarting named Service
\n\tRestarting httpd Service
\n\tRestarting ipa-custodia Service
\n\tRestarting ntpd Service
\n\tRestarting pki-tomcatd Service
\n\tRestarting smb Service
\n\tRestarting winbind Service
\n\tRestarting ipa-otpd Service
\n\tRestarting ipa-dnskeysyncd Service
\n\tipa: INFO: The ipactl command was successful<\/span>\n<\/p>\n

\n\tBut giving the above a few moments, certs still didn't update after some time.  Trying to run the following:\n<\/p>\n

\n\t# ipa-certupdate<\/strong><\/span>\n<\/p>\n

\n\tThis got me further but one is still unreachable with error:\n<\/p>\n

\n\t# getcert list|grep -Ei "Request ID|status:|stuck:|expires"<\/strong>
\n\tRequest ID '20180122053638':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:15:58 UTC
\n\tRequest ID '20180122053639':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:09:34 UTC
\n\tRequest ID '20180122053640':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:14:47 UTC
\n\tRequest ID '20180122053641':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2042-09-11 09:07:22 UTC
\n\tRequest ID '20180122053642':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-08-31 09:03:44 UTC
\n\tRequest ID '20180122053643':
\n\t        status: CA_UNREACHABLE<\/span>
\n\t        stuck: no
\n\t        expires: 2022-08-27 17:23:10 UTC
\n\tRequest ID '20180122053644':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-27 23:42:10 UTC
\n\tRequest ID '20180122053649':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-27 23:41:58 UTC
\n\tRequest ID '20180122053742':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2023-09-26 00:54:54 UTC<\/span>\n<\/p>\n

\n\tA more detailed look from getcert list :\n<\/p>\n

\n\tRequest ID '20180122053643':
\n\t        status: CA_UNREACHABLE
\n\t        ca-error: Error 60 connecting to https:\/\/idmipa02.nix.mds.xyz:8443\/ca\/agent\/ca\/profileReview: Peer certificate cannot be authenticated with given CA certificates.
\n\t        stuck: no<\/span>\n<\/p>\n

\n\tResubmit did nothing:\n<\/p>\n

\n\t# getcert resubmit -i 20180122053643<\/span><\/strong>\n<\/p>\n

\n\tChecking the CA we receive:\n<\/p>\n

\n\t# ipa ca-show ipa  -v<\/strong>
\n\tUsage: ipa [global-options] ca-show NAME [options]<\/span>\n<\/p>\n

\n\t# ipa ca-show ipa<\/strong>
\n\tipa: ERROR: Failed to authenticate to CA REST API<\/span>\n<\/p>\n

\n\tDigging into the getcert list and \/var\/log\/pki\/pki-tomcat\/ca\/debug logs further, we get the following messages:\n<\/p>\n

\n\t# getcert list<\/strong>
\n\tca-error: Error 60 connecting to https:\/\/idmipa02.nix.mds.xyz:8443\/ca\/agent\/ca\/profileReview: Peer certificate cannot be authenticated with given CA certificates.<\/span>\n<\/p>\n

\n\t# \/var\/log\/pki\/pki-tomcat\/ca\/debug<\/span><\/strong>\n<\/p>\n

\n\t[28\/Sep\/2022:00:59:32][localhost-startStop-1]: CertUtils: verifySystemCertsByTag() failed: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: Server-Cert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: Server-Cert cert-pki-ca
\n\t[28\/Sep\/2022:00:59:32][localhost-startStop-1]: SignedAuditLogger: event CIMC_CERT_VERIFICATION
\n\t[28\/Sep\/2022:00:59:32][localhost-startStop-1]: SignedAuditLogger: event CIMC_CERT_VERIFICATION
\n\tjava.lang.Exception: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: Server-Cert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: Server-Cert cert-pki-ca<\/span>\n<\/p>\n

\n\t[28\/Sep\/2022:00:59:32][localhost-startStop-1]: SelfTestSubsystem: Shutting down server due to selftest failure: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: Server-Cert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: Server-Cert cert-pki-ca
\n\tjava.lang.Exception: Certutils.verifySystemCertValidityByNickname:  faliled: nickname: Server-Cert cert-pki-cacause: java.lang.Exception: Certutils.verifySystemCertValidityByNickname:  failed: nickname: Server-Cert cert-pki-ca<\/span>\n<\/p>\n

\n\t[28\/Sep\/2022:00:59:33][http-bio-8080-exec-1]: Failed to read product version String. java.io.FileNotFoundException: \/usr\/share\/pki\/CS_SERVER_VERSION (No such file or directory)<\/span>\n<\/p>\n

\n\tWhich gives us a lead, but nothing came of that error in reading and searching.  Then paid more attention and see this:\n<\/p>\n

\n\tRequest ID '20180122053643':
\n\t        status: CA_UNREACHABLE
\n\t        stuck: no
\n\t        expires: 2022-08-27 17:23:10 UTC<\/span>        \n<\/p>\n

\n\tCert's expired.  Time to roll back the clock:\n<\/p>\n

\n\t# ipactl restart<\/strong>
\n\tRestarting Directory Service
\n\tRestarting krb5kdc Service
\n\tRestarting kadmin Service
\n\tRestarting named Service
\n\tRestarting httpd Service
\n\tFailed to restart httpd Service
\n\tShutting down
\n\tHint: You can use –ignore-service-failure option for forced start in case that a non-critical service failed
\n\tAborting ipactl<\/span>\n<\/p>\n

\n\tbut nope this fails.  Let's try the fix command:\n<\/p>\n

\n\t# ipa-cert-fix<\/span><\/strong>\n<\/p>\n

\n\t                          WARNING<\/span>\n<\/p>\n

\n\tipa-cert-fix is intended for recovery when expired certificates
\n\tprevent the normal operation of IPA.  It should ONLY be used
\n\tin such scenarios, and backup of the system, especially certificates
\n\tand keys, is STRONGLY RECOMMENDED.<\/span>\n<\/p>\n

\n\t
\n\tThe following certificates will be renewed:<\/span>\n<\/p>\n

\n\tDogtag sslserver certificate:
\n\t  Subject: CN=idmipa02.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t  Serial:  268369924
\n\t  Expires: 2022-08-27 17:23:10<\/span>\n<\/p>\n

\n\tEnter "yes" to proceed: yes
\n\tProceeding.
\n\tCommand 'pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver' returned non-zero exit status 1
\n\tThe ipa-cert-fix command failed.<\/span>\n<\/p>\n

\n\tGetting the typical CSR error:\n<\/p>\n

\n\t# pki-server cert-fix –ldapi-socket \/var\/run\/slapd-NIX-MDS-XYZ.socket –agent-uid ipara –cert sslserver<\/strong>
\n\tINFO: Loading password config: \/etc\/pki\/pki-tomcat\/password.conf
\n\tINFO: Fixing the following system certs: [‘sslserver’]
\n\tINFO: Renewing the following additional certs: []
\n\tSASL\/EXTERNAL authentication started
\n\tSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\n\tSASL SSF: 0
\n\tINFO: Stopping the instance to proceed with system cert renewal
\n\tINFO: Configuring LDAP password authentication
\n\tINFO: Setting pkidbuser password via ldappasswd
\n\tSASL\/EXTERNAL authentication started
\n\tSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\n\tSASL SSF: 0
\n\tINFO: Selftests disabled for subsystems: ca
\n\tINFO: Resetting password for uid=ipara,ou=people,o=ipaca
\n\tSASL\/EXTERNAL authentication started
\n\tSASL username: gidNumber=0+uidNumber=0,cn=peercred,cn=external,cn=auth
\n\tSASL SSF: 0
\n\tINFO: Creating a temporary sslserver cert
\n\tINFO: Getting sslserver cert info for ca
\n\tINFO: Trying to create a new temp cert for sslserver.
\n\tINFO: Generate temp SSL certificate
\n\tINFO: Getting sslserver cert info for ca
\n\tINFO: Selftests enabled for subsystems: ca
\n\tINFO: Restoring previous LDAP configuration
\n\tERROR: Unable to find CSR for sslserver cert<\/span>\n<\/p>\n

\n\tLet's get the CSR:\n<\/p>\n

\n\t# grep -Ei "csr=" -A19 \/var\/lib\/certmonger\/requests\/20180122053643 | grep -Evi "CATE REQ" | tr -d '[:space:]'<\/strong>
\n\tMIIDNzCCA…………………………………………….4gpgJAb+hM=<\/span>\n<\/p>\n

\n\tCheck that you added the entry correctly:\n<\/p>\n

\n\t# ca.sslserver.certreq=MIIDNzCCAh8………………………………………………………………………….gpgJAb+hM=<\/span>\n<\/p>\n

\n\tTry the IPA fix once more.  This time we have success:\n<\/p>\n

\n\t# ipa-cert-fix<\/span><\/strong>\n<\/p>\n

\n\t                          WARNING<\/span>\n<\/p>\n

\n\tipa-cert-fix is intended for recovery when expired certificates
\n\tprevent the normal operation of IPA.  It should ONLY be used
\n\tin such scenarios, and backup of the system, especially certificates
\n\tand keys, is STRONGLY RECOMMENDED.<\/span>\n<\/p>\n

\n\t
\n\tThe following certificates will be renewed:<\/span>\n<\/p>\n

\n\tDogtag sslserver certificate:
\n\t  Subject: CN=idmipa02.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t  Serial:  268369924
\n\t  Expires: 2022-08-27 17:23:10<\/span>\n<\/p>\n

\n\tEnter "yes" to proceed: yes
\n\tProceeding.
\n\tRenewed Dogtag sslserver certificate:
\n\t  Subject: CN=idmipa02.nix.mds.xyz,O=NIX.MDS.XYZ
\n\t  Serial:  268369929
\n\t  Expires: 2024-09-17 05:32:43<\/span>\n<\/p>\n

\n\tThe ipa-cert-fix command was successful, apparently.  Restarting services to confirm:\n<\/p>\n

\n\t[idmipa02] # ipactl status<\/strong>
\n\tDirectory Service: RUNNING
\n\tkrb5kdc Service: RUNNING
\n\tkadmin Service: RUNNING
\n\tnamed Service: RUNNING
\n\thttpd Service: RUNNING
\n\tipa-custodia Service: RUNNING
\n\tntpd Service: RUNNING
\n\tpki-tomcatd Service: RUNNING
\n\tsmb Service: RUNNING
\n\twinbind Service: RUNNING
\n\tipa-otpd Service: RUNNING
\n\tipa-dnskeysyncd Service: RUNNING
\n\tipa: INFO: The ipactl command was successful<\/span>\n<\/p>\n

\n\t[idmipa02] # getcert list|grep -Ei "Request ID|status:|stuck:|expires"<\/strong>
\n\tRequest ID '20180122053638':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:15:58 UTC
\n\tRequest ID '20180122053639':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:09:34 UTC
\n\tRequest ID '20180122053640':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:14:47 UTC
\n\tRequest ID '20180122053641':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2042-09-11 09:07:22 UTC
\n\tRequest ID '20180122053642':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-08-31 09:03:44 UTC
\n\tRequest ID '20180122053643':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-15 05:46:41 UTC
\n\tRequest ID '20180122053644':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-27 23:42:10 UTC
\n\tRequest ID '20180122053649':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2024-09-27 23:41:58 UTC
\n\tRequest ID '20180122053742':
\n\t        status: MONITORING
\n\t        stuck: no
\n\t        expires: 2023-09-26 00:54:54 UTC<\/span>\n<\/p>\n

\n\tAnd just to be sure:\n<\/p>\n

\n\t[idmipa01]
\n\tipa config-show | grep 'IPA CA renewal master'
\n\t  IPA CA renewal master: idmipa01.nix.mds.xyz
\n\t  
\n\t[idmipa02]
\n\tipa config-show | grep 'IPA CA renewal master'
\n\t  IPA CA renewal master: idmipa01.nix.mds.xyz<\/span> \n<\/p>\n

\n\tHope this helps someone!\n<\/p>\n

\n\tCheers,
\n\tTom\n<\/p>\n

\n\tREFERENCES:<\/strong>
\n\thttps:\/\/lists.fedoraproject.org\/archives\/list\/freeipa-users@lists.fedorahosted.org\/thread\/JYQU7PJGY4QV7C6S34Q7VOAAGU7FGLWF\/<\/a>
\n\thttps:\/\/floblanc.wordpress.com\/2017\/09\/11\/troubleshooting-freeipa-pki-tomcatd-fails-to-start\/<\/a>
\n\thttps:\/\/access.redhat.com\/solutions\/3081821<\/a>
\n\thttps:\/\/access.redhat.com\/articles\/4062581<\/a>
\n\thttps:\/\/access.redhat.com\/solutions\/3357261<\/a>
\n\thttps:\/\/rcritten.wordpress.com\/2017\/09\/20\/peer-certificate-cannot-be-authenticated-with-given-ca-certificates\/<\/a>
\n\thttps:\/\/lists.fedorahosted.org\/archives\/list\/freeipa-users@lists.fedorahosted.org\/thread\/XSMWWPJU2VRUIGE6SRAHYAJF7BYBCNOE\/<\/a>
\n\thttps:\/\/frasertweedale.github.io\/blog-redhat\/posts\/2019-05-24-ipa-cert-fix.html<\/a>
\n\thttps:\/\/lists.fedorahosted.org\/archives\/list\/freeipa-users@lists.fedorahosted.org\/thread\/P73XKHFUJ75VHOJWK2A6ZTLZQ7I2IYE6\/<\/a>
\n\thttps:\/\/floblanc.wordpress.com\/2016\/12\/19\/troubleshooting-certmonger-issues-with-freeipa\/<\/a>
\n\thttps:\/\/access.redhat.com\/solutions\/4908451<\/a>
\n\thttps:\/\/access.redhat.com\/solutions\/4852721<\/a>
\n\thttps:\/\/floblanc.wordpress.com\/2016\/12\/19\/troubleshooting-certmonger-issues-with-freeipa\/<\/a>
\n\thttps:\/\/floblanc.wordpress.com\/2016\/12\/19\/troubleshooting-certmonger-issues-with-freeipa\/<\/a>
\n\thttps:\/\/serverfault.com\/questions\/709470\/date-and-hwclock-not-in-sync-why<\/a><\/p>\n\n

\n\n\t\t\n
    \n\t\t\t <\/ul>\n <\/div> \n","protected":false},"excerpt":{"rendered":"

    Restore VM's from snapshot.  Yes, this is a new attempt at restoring some FreeIPA hosts that have been, ahem, neglected slightly to the point where things expired and don't work.  A few unexpected reboots and FS corruption didn't help the matter either.  Regardless, the recovery will in many ways show off the restoration capabilities of.FreeIPA which […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"_uf_show_specific_survey":0,"_uf_disable_surveys":false,"footnotes":""},"categories":[3],"tags":[],"class_list":["post-6088","post","type-post","status-publish","format-standard","hentry","category-unix-linux-admin-stuff"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/6088","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/comments?post=6088"}],"version-history":[{"count":4,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/6088\/revisions"}],"predecessor-version":[{"id":6092,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/posts\/6088\/revisions\/6092"}],"wp:attachment":[{"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/media?parent=6088"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/categories?post=6088"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/microdevsys.com\/wp\/wp-json\/wp\/v2\/tags?post=6088"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}