解决freeipa证书过期

FreeIPA 服务器在重启后不会启动

参考 https://redhatlinux.guru/2020/10/09/freeipa-server-will-not-start-after-reboot/

原因 证书过期：

[root@freeipa ~]# ipa-getcert list 
Number of certificates and requests being tracked: 9.
Request ID '20190830074301':
	status: CA_UNREACHABLE
	ca-error: Server at https://freeipa.baofoo.cn/ipa/xml failed request, will retry: -504 (libcurl failed to execute the HTTP POST transaction, explaining:  Failed connect to freeipa.baofoo.cn:443; Connection refused).
	stuck: no
	key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-BAOFOO-CN',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-BAOFOO-CN/pwdfile.txt'
	certificate: type=NSSDB,location='/etc/dirsrv/slapd-BAOFOO-CN',nickname='Server-Cert',token='NSS Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=BAOFOO.CN
	subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
	expires: 2021-08-30 07:43:01 UTC
	dns: freeipa.baofoo.cn
	principal name: ldap/freeipa.baofoo.cn@BAOFOO.CN
	key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment
	eku: id-kp-serverAuth,id-kp-clientAuth
	pre-save command: 
	post-save command: /usr/libexec/ipa/certmonger/restart_dirsrv BAOFOO-CN
	track: yes
	auto-renew: yes

问题
这更多是利基问题。但可能对其他人有用。我在家里有一个用于 DNS 的 FreeIPA 服务器设置。在简单的重新启动以向 VM 添加一些 RAM 后，服务器将无法启动。我收到如下错误。

IPA 服务器错误

systemctl status ipa

● ipa.service - Identity, Policy, Audit
Loaded: loaded (/usr/lib/systemd/system/ipa.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since Fri 2020-10-09 14:57:15 EDT; 1s ago
Process: 1110 ExecStart=/usr/sbin/ipactl start (code=exited, status=1/FAILURE)
Main PID: 1110 (code=exited, status=1/FAILURE)

Oct 09 14:57:15 ipasrv.home.local ipactl[1110]: Aborting ipactl
Oct 09 14:57:15 ipasrv.home.local ipactl[1110]: Starting Directory Service
Oct 09 14:57:15 ipasrv.home.local ipactl[1110]: Starting krb5kdc Service
Oct 09 14:57:15 ipasrv.home.local ipactl[1110]: Starting kadmin Service
Oct 09 14:57:15 ipasrv.home.local ipactl[1110]: Starting named Service
Oct 09 14:57:15 ipasrv.home.local ipactl[1110]: Starting httpd Service
Oct 09 14:57:15 ipasrv.home.local systemd[1]: ipa.service: main process exited, code=exited, status=1/FAILURE
Oct 09 14:57:15 ipasrv.home.local systemd[1]: Failed to start Identity, Policy, Audit.
Oct 09 14:57:15 ipasrv.home.local systemd[1]: Unit ipa.service entered failed state.
Oct 09 14:57:15 ipasrv.home.local systemd[1]: ipa.service failed.

Apache 服务错误

systemctl status httpd -l

● httpd.service - The Apache HTTP Server
Loaded: loaded (/usr/lib/systemd/system/httpd.service; disabled; vendor preset: disabled)
Drop-In: /etc/systemd/system/httpd.service.d
└─ipa.conf
Active: failed (Result: exit-code) since Fri 2020-10-09 14:57:44 EDT; 9s ago
Docs: man:httpd(8)
man:apachectl(8)
Process: 1532 ExecStart=/usr/sbin/httpd $OPTIONS -DFOREGROUND (code=exited, status=1/FAILURE)
Process: 1529 ExecStartPre=/usr/libexec/ipa/ipa-httpd-kdcproxy (code=exited, status=0/SUCCESS)
Main PID: 1532 (code=exited, status=1/FAILURE)

Oct 09 14:57:42 ipasrv.home.local systemd[1]: Starting The Apache HTTP Server...
Oct 09 14:57:43 ipasrv.home.local ipa-httpd-kdcproxy[1529]: ipa: WARNING: Unable to connect to dirsrv: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-HOME-LOCAL.socket':
Oct 09 14:57:43 ipasrv.home.local ipa-httpd-kdcproxy[1529]: ipa-httpd-kdcproxy: WARNING  Unable to connect to dirsrv: cannot connect to 'ldapi://%2fvar%2frun%2fslapd-HOME-LOCAL.socket':
Oct 09 14:57:43 ipasrv.home.local ipa-httpd-kdcproxy[1529]: ipa: WARNING: Disabling KDC proxy
Oct 09 14:57:43 ipasrv.home.local ipa-httpd-kdcproxy[1529]: ipa-httpd-kdcproxy: WARNING  Disabling KDC proxy
Oct 09 14:57:44 ipasrv.home.local systemd[1]: httpd.service: main process exited, code=exited, status=1/FAILURE
Oct 09 14:57:44 ipasrv.home.local systemd[1]: Failed to start The Apache HTTP Server.
Oct 09 14:57:44 ipasrv.home.local systemd[1]: Unit httpd.service entered failed state.
Oct 09 14:57:44 ipasrv.home.local systemd[1]: httpd.service failed.

解析度
不会用这个绕过灌木丛。底线是我的证书已过期。下面是解决它的步骤。

1 – 使用忽略失败服务的选项启动 IPA 服务器。

ipactl start --ignore-service-failure

示例输出

Existing service file detected!
Assuming stale, cleaning and proceeding
Starting Directory Service
Starting krb5kdc Service
Starting kadmin Service
Starting named Service
Starting httpd Service
Failed to start httpd Service
Forced start, ignoring httpd Service, continuing normal operation
Starting ipa-custodia Service
Starting ntpd Service
Starting pki-tomcatd Service

2 – 接下来运行ipa-cert-fix命令来更新过期的证书。

ipa-cert-fix

                          WARNING

ipa-cert-fix is intended for recovery when expired certificates
prevent the normal operation of IPA.  It should ONLY be used
in such scenarios, and backup of the system, especially certificates
and keys, is STRONGLY RECOMMENDED.


The following certificates will be renewed: 

Dogtag sslserver certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  3
  Expires: 2021-08-19 07:42:09

Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=BAOFOO.CN
  Serial:  4
  Expires: 2021-08-19 07:42:09

Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=BAOFOO.CN
  Serial:  2
  Expires: 2021-08-19 07:42:09

Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=BAOFOO.CN
  Serial:  5
  Expires: 2021-08-19 07:42:09

IPA IPA RA certificate:
  Subject: CN=IPA RA,O=BAOFOO.CN
  Serial:  7
  Expires: 2021-08-19 07:42:30

IPA Apache HTTPS certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  9
  Expires: 2021-08-30 07:43:31

IPA LDAP certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  8
  Expires: 2021-08-30 07:43:01

IPA KDC certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  10
  Expires: 2021-08-30 07:43:38

Enter "yes" to proceed: yes
Proceeding.
Renewed Dogtag sslserver certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  11
  Expires: 2023-11-30 01:22:29

Renewed Dogtag subsystem certificate:
  Subject: CN=CA Subsystem,O=BAOFOO.CN
  Serial:  12
  Expires: 2023-11-30 01:22:30

Renewed Dogtag ca_ocsp_signing certificate:
  Subject: CN=OCSP Subsystem,O=BAOFOO.CN
  Serial:  13
  Expires: 2023-11-30 01:22:31

Renewed Dogtag ca_audit_signing certificate:
  Subject: CN=CA Audit,O=BAOFOO.CN
  Serial:  14
  Expires: 2023-11-30 01:22:31

Renewed IPA IPA RA certificate:
  Subject: CN=IPA RA,O=BAOFOO.CN
  Serial:  15
  Expires: 2023-11-30 01:22:32

Renewed IPA Apache HTTPS certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  16
  Expires: 2023-12-11 01:22:32

Renewed IPA LDAP certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  17
  Expires: 2023-12-11 01:22:32

Renewed IPA KDC certificate:
  Subject: CN=freeipa.baofoo.cn,O=BAOFOO.CN
  Serial:  18
  Expires: 2023-12-11 01:22:33

Becoming renewal master.
The ipa-cert-fix command was successful
[root@freeipa ~]# ipactl restart

3 – 更新证书后，重新启动 IPA 服务器，

ipactl restart

示例输出

Restarting Directory Service
Restarting krb5kdc Service
Restarting kadmin Service
Restarting named Service
Restarting httpd Service
Restarting ipa-custodia Service
Restarting ntpd Service
Restarting pki-tomcatd Service
Restarting ipa-otpd Service
Restarting ipa-dnskeysyncd Service
ipa: INFO: The ipactl command was successful

4 – 最后使用ipactl status命令验证IPA服务器启动。

ipactl status

示例输出

Directory Service: RUNNING
krb5kdc Service: RUNNING
kadmin Service: RUNNING
named Service: RUNNING
httpd Service: RUNNING
ipa-custodia Service: RUNNING
ntpd Service: RUNNING
pki-tomcatd Service: RUNNING
ipa-otpd Service: RUNNING
ipa-dnskeysyncd Service: RUNNING
ipa: INFO: The ipactl command was successful

Upgrade 版本升级

[root@freeipa ipa]# rpm -aq ipa-server
ipa-server-4.6.5-11.el7.centos.x86_64

ipa-server-upgrade

ipa-getcert list  #查看全部证书

ipa-cacert-manage renew  #更新证书     会在到期日期前 28 天自动更新以下证书

手工更新证书
ipa-getcert resubmit -i REQUEST_ID

ipa-getcert resubmit -i cert_nickname   #cert_nickname自行替换，可由ipa-getcert list 命令获取到，结合自带的certmonger服务可以更新证书过期时间