RHEL Engineering is moving the tracking of its product development work on RHEL 6 through RHEL 9 to Red Hat Jira (issues.redhat.com). If you're a Red Hat customer, please continue to file support cases via the Red Hat customer portal. If you're not, please head to the "RHEL project" in Red Hat Jira and file new tickets here. Individual Bugzilla bugs in the statuses "NEW", "ASSIGNED", and "POST" are being migrated throughout September 2023. Bugs of Red Hat partners with an assigned Engineering Partner Manager (EPM) are migrated in late September as per pre-agreed dates. Bugs against components "kernel", "kernel-rt", and "kpatch" are only migrated if still in "NEW" or "ASSIGNED". If you cannot log in to RH Jira, please consult article #7032570. That failing, please send an e-mail to the RH Jira admins at rh-issues@redhat.com to troubleshoot your issue as a user management inquiry. The email creates a ServiceNow ticket with Red Hat. Individual Bugzilla bugs that are migrated will be moved to status "CLOSED", resolution "MIGRATED", and set with "MigratedToJIRA" in "Keywords". The link to the successor Jira issue will be found under "Links", have a little "two-footprint" icon next to it, and direct you to the "RHEL project" in Red Hat Jira (issue links are of type "https://issues.redhat.com/browse/RHEL-XXXX", where "X" is a digit). This same link will be available in a blue banner at the top of the page informing you that that bug has been migrated.
Bug 1623549 - unable to renew Server-Cert certificates - error CA_UNREACHABLE
Summary: unable to renew Server-Cert certificates - error CA_UNREACHABLE
Keywords:
Status: CLOSED DUPLICATE of bug 1152084
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: ipa
Version: 7.7-Alt
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: rc
: ---
Assignee: IPA Maintainers
QA Contact: ipa-qe
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2018-08-29 15:17 UTC by max_ter
Modified: 2018-12-05 12:22 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-12-05 12:22:23 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description max_ter 2018-08-29 15:17:44 UTC 
Description of problem:
Certmonger is not able to renew the certificates with nickname "Server-Cert";

running ipa-getcert list, both the certificates with nickname "Server-Cert" return the following error:

Request ID '20170320134855':
        status: CA_UNREACHABLE
        ca-error: Server at https://MY_SITE.COM/ipa/xml failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: FAILURE (CA not found: 516f847a-ddc0-4da6-b15d-6703742b74be)).
        stuck: no
        ...

Performing an ldapsearch, the CA seems to be present:

# ldapsearch -Y GSSAPI -s sub -b cn=ipa,cn=cas,cn=ca,dc=MY_SITE,dc=com
SASL/GSSAPI authentication started
SASL username: admin
SASL SSF: 56
SASL data security layer installed.
# extended LDIF
#
# LDAPv3
# base <cn=ipa,cn=cas,cn=ca,dc=MY_SITE,dc=com> with scope subtree
# filter: (objectclass=*)
# requesting: ALL
#

# ipa, cas, ca, MY_SITE.COM
dn: cn=ipa,cn=cas,cn=ca,dc=MY_SITE,dc=com
description: IPA CA
ipaCaIssuerDN: CN=Certificate Authority,O=MY_SITE.COM
objectClass: top
objectClass: ipaca
ipaCaSubjectDN: CN=Certificate Authority,O=MY_SITE.COM
ipaCaId: 516f847a-ddc0-4da6-b15d-6703742b74be
cn: ipa

# search result
search: 4
result: 0 Success

# numResponses: 2
# numEntries: 1



Version-Release number of selected component (if applicable):
# ipa --version
VERSION: 4.4.0, API_VERSION: 2.213
Comment 2 Alexander Bokovoy 2018-08-29 21:21:17 UTC 
Could you please add

/etc/sysconfig/certmonger
OPTS=-d3

restart certmonger, wait a bit until certmonger settles down and provide output of 

 journalctl -u certmonger --full

for the time period since restart.
Comment 3 max_ter 2018-09-12 12:59:50 UTC 
Hello Alexander,

We found and solved the issue: looking in ldap, in the entry cn=ipa,cn=cas,cn=ca,dc=my_site,dc=com we saw this attribute-value
ipaCaId: 516f847a-ddc0-4da6-b15d-6703742b74be

so, there should have been an entry like 
dn: cn=$ipacaid,ou=authorities,ou=ca,o=ipaca 

but looking under ou=authorities,ou=ca,o=ipaca, the entry had a different cn value.

We aligned the first entry with the value of the entry in the ipaca part, and the problem was solved.

Maybe this misalignment was due to a replication failure between the masters?

Thank you.
Max
Comment 4 max_ter 2018-09-18 12:11:39 UTC 
(In reply to Alexander Bokovoy from comment #2)
> Could you please add
> 
> /etc/sysconfig/certmonger
> OPTS=-d3
> 
> restart certmonger, wait a bit until certmonger settles down and provide
> output of 
> 
>  journalctl -u certmonger --full
> 
> for the time period since restart.

Hello Alexander,

We found and solved the issue: looking in ldap, in the entry cn=ipa,cn=cas,cn=ca,dc=my_site,dc=com we saw this attribute-value
ipaCaId: 516f847a-ddc0-4da6-b15d-6703742b74be

so, there should have been an entry like 
dn: cn=$ipacaid,ou=authorities,ou=ca,o=ipaca 

but looking under ou=authorities,ou=ca,o=ipaca, the entry had a different cn value.

We aligned the first entry with the value of the entry in the ipaca part, and the problem was solved.

Maybe this misalignment was due to a replication failure between the masters?

Thank you.
Max
Comment 5 Alexander Bokovoy 2018-09-18 12:57:09 UTC 
It is unlikely due to a replication failure (you'd then would have two different ipaCaId entries). Could you tell a bit more how these systems were installed?
Comment 6 Alexander Bokovoy 2018-10-03 05:56:11 UTC 
Rob, do you think the check for ipaCaId being correct in both cn=ipa,cn=cas,cn=ca,$SUFFIX and cn=$ipacaid,ou=authorities,ou=ca,o=ipaca would be useful for the new troubleshooting tool?

If so, should we copy this bug to Pagure and close it here, since the original issue is solved by Max already.
Comment 7 Rob Crittenden 2018-10-03 14:06:37 UTC 
Yes, I do think it should be checked. It is part of the tool I started at https://github.com/rcritten/checkcerts

So if existence in my tool, which I fully expect to be merged into something else eventually, is enough then I think we can close this BZ and track it in that upstream.
Comment 8 Florence Blanc-Renaud 2018-12-05 12:22:23 UTC 
The upstream ticket for health check tool is https://pagure.io/freeipa/issue/4008. The corresponding BZ is BZ 1152084.

Closing this BZ as proposed in comments #c6 and #c7, as the customer issue has been solved and an upstream ticket+BZ is already tracking the check.

*** This bug has been marked as a duplicate of bug 1152084 ***
Note You need to log in before you can comment on or make changes to this bug.