[Freeipa-devel] certificate renewal
Rob Crittenden
rcritten at redhat.com
Wed Oct 30 20:28:38 UTC 2013
Vaede, Roger (Contractor) wrote:
> The certificate that I tried to install was a self signed certificate.
> Here is the contents of the file: /var/log/ipaserver-install.log
>
> 2013-10-21 11:42:44,031 DEBUG Loading StateFile from '/var/lib/ipa/sysrestore/sysrestore.state'
> 2013-10-21 11:42:44,032 DEBUG Loading Index file from '/var/lib/ipa/sysrestore/sysrestore.index'
> 2013-10-21 11:42:44,032 DEBUG httpd is configured
> 2013-10-21 11:42:44,032 DEBUG ipa_kpasswd is configured
> 2013-10-21 11:42:44,032 DEBUG dirsrv is configured
> 2013-10-21 11:42:44,033 DEBUG pki-cad is configured
> 2013-10-21 11:42:44,033 DEBUG pkids is configured
> 2013-10-21 11:42:44,033 DEBUG install is configured
> 2013-10-21 11:42:44,033 DEBUG krb5kdc is configured
> 2013-10-21 11:42:44,033 DEBUG ntpd is not configured
> 2013-10-21 11:42:44,033 DEBUG named is not configured
> 2013-10-21 11:42:44,033 DEBUG filestore has files
Ok, you have a dogtag CA. We didn't add support for automated renewal
until IPA 3.0. We need to see the state of the CA itself, its subsystem
certificates.
To get the list of nicknames:
# certutil -L -d /var/lib/pki-ca/alias
Then for each one do:
# certutil -L -n <nickname> -d /var/lib/pki-ca/alias | grep Not
You don't need to post this necessarily, just look to see if they are
already expired.
Like I said, we didn't tackle renewal until IPA 3.0. This required some
work in certmonger as well as some changes within IPA. I don't know if
the same procedures will work against an IPA 2 server. The bulk of the
work is done by certmonger.
But first, see what the state of the CA and its subsystem certificates
are, then we can see what we need to renew.
rob
>
>
> The (good) backup server here is the contents of the certificate:
>
> [root at xxxxx ~]# ipa-getcert list
> Number of certificates and requests being tracked: 2.
> Request ID '20111020180721':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xxx ',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-xxxxx-xxx//pwdfile.txt'
> certificate: type=NSSDB,location='/etc/dirsrv/slapd-xxxxx-xx',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxxx.xxx
> subject: CN=xxxxxxx.xxxxxx.xxx,O=xxxxxxx.xx
> expires: 2015-09-23 17:46:26 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> command:
> track: yes
> auto-renew: yes
> Request ID '20111020180816':
> status: MONITORING
> stuck: no
> key pair storage: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate: type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=xxxxxx.xxx
> subject: CN=xxxxxx.xxxx.xxx,O=xxxxxxx.xxx
> expires: 2015-09-23 17:46:26 UTC
> eku: id-kp-serverAuth,id-kp-clientAuth
> command:
> track: yes
> auto-renew: yes
>
> regards
> Roger
>
>
>
> -----Original Message-----
> From: Rob Crittenden [mailto:rcritten at redhat.com]
> Sent: Wednesday, October 30, 2013 3:29 PM
> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
> Subject: Re: [Freeipa-devel] certificate renewal
>
> Vaede, Roger (Contractor) wrote:
>> I did try to replace the certificate with a self signed one at one point but then I was getting an error saying the certificate wasn't valid.
>
> Ok, I need to get a better handle on how this was originally installed in order to guide you. Can you look to see if /var/log/ipaserver-install.log still exists? It should have the original arguments passed.
>
> What I need to know is if this was installed using a dogtag CA or if it was installed as a selfsign server.
>
> rob
>
>>
>> Regards
>> Roger
>>
>> -----Original Message-----
>> From: Vaede, Roger (Contractor)
>> Sent: Wednesday, October 30, 2013 2:37 PM
>> To: 'Rob Crittenden'; 'freeipa-devel at redhat.com'
>> Subject: RE: [Freeipa-devel] certificate renewal
>>
>> I never installed freeipa, the person that installed it left the company.
>> I removed the request ID at one point by using the stop-tracking command then I used this command to reinstate them:
>> ipa-getcert start-tracking -d /var/lib/pki-ca/alias -n ServerCert -r
>>
>> Initially they expired around October 25th.
>>
>> Regards
>> Roger
>>
>> -----Original Message-----
>> From: Rob Crittenden [mailto:rcritten at redhat.com]
>> Sent: Wednesday, October 30, 2013 2:30 PM
>> To: Vaede, Roger (Contractor); 'freeipa-devel at redhat.com'
>> Subject: Re: [Freeipa-devel] certificate renewal
>>
>> Vaede, Roger (Contractor) wrote:
>>> I have two IPA servers, one primary and one is backup. (Redhat 5)
>>
>> What version of ipa-server is this?
>>
>>> The primary servers certificate has expired.
>>>
>>> I am not able to renew it.
>>>
>>> I turned off the ssl on the clients and now the users can login.
>>>
>>> I did a lot of research on certificate renewal and I am lost at this point.
>>>
>>> I am able to make changes using the backup IPA server.
>>
>> This getcert output is quite strange. Did you start these tracking yourself?
>>
>> Did you replace the IPA CA certificate at some point?
>>
>> rob
>>
>>
>
>
More information about the Freeipa-devel
mailing list