#11164 Issue renewing some TLS certs from IPA infra
Closed: Fixed a year ago by arrfab. Opened a year ago by arrfab.

We have some enrolled servers in Fedora Infra that we use to generate certs requests, through delegation.
Certmonger process was able to track issued certs and renew automatically but we got some zabbix warning about near expiring certs that don't seem to be renewed.

When investigating at the enrolled machine (through journalctl certmonger) we can see this :

Mar 06 08:44:14 enrolled_node ipa-submit[1487]: JSON-RPC error: 4016: Failed to authenticate to CA REST API
Mar 06 08:44:14 enrolled_node certmonger[1369]: 2023-03-06 08:44:14 [1369] Certificate submission still ongoing.
Mar 06 08:44:14 enrolled_node certmonger[1369]: 2023-03-06 08:44:14 [1369] Certificate submission attempt complete.
Mar 06 08:44:14 enrolled_node certmonger[1369]: 2023-03-06 08:44:14 [1369] Child status = 3.
Mar 06 08:44:14 enrolled_node certmonger[1369]: 2023-03-06 08:44:14 [1369] Child output:
Mar 06 08:44:14 enrolled_node certmonger[1369]: "Server at https://ipa01.iad2.fedoraproject.org/ipa/json failed request, will retry: 4001 (The host 'x86_64-1.cbs.centos.org' does not exist to add a service to.).
Mar 06 08:44:14 enrolled_node certmonger[1369]: Server at https://ipa02.iad2.fedoraproject.org/ipa/json failed request, will retry: 4016 (Failed to authenticate to CA REST API).
Mar 06 08:44:14 enrolled_node certmonger[1369]: Server at https://ipa03.iad2.fedoraproject.org/ipa/json failed request, will retry: 4016 (Failed to authenticate to CA REST API).
Mar 06 08:44:14 enrolled_node certmonger[1369]: "

While trying to debug that with @humaton we tried to reproduce and even restarted certmonger and it then all worked fine

Just to force renewal, I launched ipa-getcert resubmit -i <initial_request_id and it was able to then talk to CA api and retrieve the new cert.

Closing for now but I'm still wondering what happened

Metadata Update from @arrfab:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

a year ago

Login to comment on this ticket.

Metadata