Ticket #3179 (closed defect: fixed)

Opened 4 years ago

Last modified 3 years ago

ca renewal script failed to contact directory server

Reported by: spoore Owned by: rcritten
Priority: major Milestone: FreeIPA 3.0.1 (bug fixing)
Component: IPA Version:
Keywords: Cc:
Blocked By: Blocking:
Affects Documentation: no Patch posted for review: yes
Red Hat Bugzilla: 869663 Patch review by:
External tracker: Design link:
Test coverage: Test by:
Test case: Needs UI design:
Feature: Source:
Release Notes:

Description (last modified by dpal) (diff)

I am testing CA Renewal using this:


I'm seeing a failure:

[root@f18-1 ~]# ipa cert-show 1
ipa: ERROR: Certificate operation cannot be completed: EXCEPTION (Invalid Credential.)

in /var/log/messages:
Sep 30 10:28:28 f18-1 systemd[1]: Started 389 Directory Server TESTRELM-COM..
Sep 30 10:28:28 f18-1 systemd[1]: Started 389 Directory Server PKI-IPA..
Sep 30 10:28:28 f18-1 renew_ra_cert: Updating agent entry failed: Can't contact LDAP server:
Sep 30 10:28:29 f18-1 renew_ca_cert: Updating renewal certificate failed: Error initializing principal host/f18-1.testrelm.com@TESTRELM.COM in /etc/krb5.keytab: (-1765328324, 'Generic error (see e-text)')


freeipa-rcrit-1068-renewal.patch (5.7 KB) - added by rcritten 4 years ago.

Change History

comment:1 Changed 4 years ago by rcritten

As far as I can tell what happened is the ipaCert (the agent cert) was renewed successfully but we weren't able to bind to the dogtag LDAP instance to update the ou=People entry with the new certificate.

The description of the uid=ipara user still referenced the old serial number.

comment:2 Changed 4 years ago by dpal

  • Description modified (diff)

comment:3 Changed 4 years ago by rcritten

  • design_review set to 0

I was able to reproduce this by killing the PKI-IPA instance during the renewal.

The script can be re-run now but it isn't clear that you can do that. We should do two things:

  • Have the script loop and try the server a few times in the hopes it will be back up soon.
  • If we can't perform an update then notify that the script can be safely re-run

I'm not sure whether I want to try to start the service or simply wait for it to come back up.

comment:4 Changed 4 years ago by dpal

  • Milestone changed from 0.0 NEEDS_TRIAGE to 3.0.1

comment:5 Changed 4 years ago by dpal

  • Red Hat Bugzilla set to [https://bugzilla.redhat.com/show_bug.cgi?id=869663 869663]

Ticket has been cloned to Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=869663

comment:6 Changed 4 years ago by rcritten

  • Owner changed from someone to rcritten
  • Status changed from new to assigned

comment:7 Changed 4 years ago by rcritten

  • Patch posted for review set

Changed 4 years ago by rcritten

comment:8 Changed 3 years ago by rcritten

  • Status changed from assigned to closed
  • Resolution set to fixed
Note: See TracTickets for help on using tickets.