<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Natxo Asenjo wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
hi,<br>
<br>
<br>
On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a></span><br></blockquote>
Ok, how about we work around the problem.<br>
</blockquote><div><br></div><div>Gladly ;-)<br> <br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Since it is failing on the revocation what you might try is removing the userCertificate value from the ldap/<a href="http://kdc01.unix.iriszorg.nl" rel="noreferrer" target="_blank">kdc01.unix.iriszorg.nl</a> service entry.<br>
<br>
I think this will work:<br>
<br>
$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl" rel="noreferrer" target="_blank">kdc01.unix.iriszorg.nl</a> |grep Serial<br>
<note this down for later><br>
<br>
$ ipa service-mod --certificate= ldap/<a href="http://kdc01.unix.iriszorg.nl" rel="noreferrer" target="_blank">kdc01.unix.iriszorg.nl</a><br>
<br>
If this doesn't work you can use ldapmodify to delete the usercertificate value.<br>
<br>
This will remove the certificate value so there is nothing to revoke and a new cert will be saved (hopefully).<br>
<br>
Now try to resubmit the request via certmonger.<br>
<br>
It if works then you can run ipa cert-revooke <old serial #><br>
<br>
It isn't a great answer long-term because it is really just working around the problem but it should get the certs renewed.<span class="gmail-HOEnZb"><font color="#888888"><br>
</font></span><br></blockquote></div><br></div><div class="gmail_extra">ok, so I restarted the httpd service then I could use ipa service-show:<br><br clear="all"></div><div class="gmail_extra">$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a> |grep Serial<br>  Serial Number: 175<br>  Serial Number (hex): 0xAF<br>bash-4.1$ ipa service-mod --certificate= ldap/<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a><br>---------------------------------------------------------------<br>Modified service "ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL">kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>"<br>---------------------------------------------------------------<br>  Principal: ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL">kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL</a><br>  Managed by: <a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a><br><br><br>bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513                           Resubmitting "20121107212513" to "IPA".<br>bash-4.1$ sudo getcert list<br>Number of certificates and requests being tracked: 8.<br>Request ID '20121107212513':<br>        status: CA_UNREACHABLE<br>        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).<br>        stuck: yes<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        expires: 2016-10-12 10:49:24 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command:<br>        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL<br>        track: yes<br>        auto-renew: yes<br><br><br><br></div><div class="gmail_extra">the certificate is gone:<br>$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a> <br>ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'<br>  Principal: ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL">kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL</a><br>  Keytab: True<br>  Managed by: <a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a><br><br><br></div><div class="gmail_extra">But then I thought, what the hell, let's try again, restarted httpd, resubmitted it, and now it did work ;-)<br><br>$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a> <br>  Principal: ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL">kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL</a><br>  Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKoZIhvcNAQELBQAwOzEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEeMBwGA1UEAxMVQ2VydGlmaWNhdGUgQXV0aG9yaXR5MB4XDTE2MDkyMDA4MDY1OFoXDTE4MDkyMTA4MDY1OFowPDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEfMB0GA1UEAxMWa2RjMDEudW5peC5pcmlzem9yZy5ubDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAO2QVqrFRb/Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1snyChdlr/AIwrJj/53Ti2eJ7u1BtV7u3gSwQ3/xJ0HwUZmOEQHCNDrjcGy+iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb3uEJzVZf+xB5eZa8vFXr+Jlcfoq8DbVZhX274pmpVfQOnRckD+AmncuEItHpcJCCHneF0QzA5DQqlTPUFerFm3F/iI/k6g9XbHQaNejcUYdhXpy9q0mEuBIIsEzTeNWTTEsUYX5TPVEsN3x2feA0icxR6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ7W7yh76FI/Bqz8vIMdS6VsurPS4asLa8CAwEAAaOBuDCBtTAfBgNVHSMEGDAWgBSjl+SKLrjPPuoz8ryT1iPeqYQ2aDBEBggrBgEFBQcBAQQ4MDYwNAYIKwYBBQUHMAGGKGh0dHA6Ly9rZGMwMS51bml4LmlyaXN6b3JnLm5sOjgwL2NhL29jc3AwDgYDVR0PAQH/BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQUFBwMBBggrBgEFBQcDAjAdBgNVHQ4EFgQUBIRsG98GBkIyB/BgQKloUlLEJeEwDQYJKoZIhvcNAQELBQADggEBAHN+ggklVf2uzaePwEI9rMObe0WZeOyCLZxEtigDaJIHkq3GzkugxcG8ivD/LnuF0D8m07npfpIMC3QRUJQjFjz6E3rKtqau0QY0BO+Dwg1TzItQqXxgHtCqcQ7bmahj2AMPRNUXeZck0p/eueG4wj2kbLwTLU6cOfwnT4IOfszAS9GCql6oQIXlOfG6i6DAodBpgWziDfIrRJsJi4ZE+FvJL/ImJDdW+En50UyGp0n31oMSDIxWf1bdWUctSEYhcy9JftzkitNm1FD+a1HzeYyuHthzlHHcSIXN/kXRSGktpe8VHE5XLtKnH92vmkMnyxZvE///2+ExHXIAOkwq3ck=<br>  Keytab: True<br>  Managed by: <a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a><br>  Subject: CN=<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>  Serial Number: 245<br>  Serial Number (hex): 0xF5<br>  Issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>  Not Before: Tue Sep 20 08:06:58 2016 UTC<br>  Not After: Fri Sep 21 08:06:58 2018 UTC<br>  Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:51:d3:2c:69:84:df<br>  Fingerprint (SHA1): e3:0a:66:19:d7:36:fe:c4:ff:58:bf:90:35:3e:0b:31:cb:a0:58:37<br><br></div><div class="gmail_extra">So I could revoke the old one:<br><br>$ ipa cert-revoke 175<br>  Revoked: True<br><br><br></div><div class="gmail_extra">and now getcert list shows the certificate is ok:<br><br>Number of certificates and requests being tracked: 8.<br>Request ID '20121107212513':<br>        status: MONITORING<br>        stuck: no<br>        key pair storage: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB',pinfile='/etc/dirsrv/slapd-UNIX-IRISZORG-NL/pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/dirsrv/slapd-UNIX-IRISZORG-NL',nickname='Server-Cert',token='NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>        expires: 2018-09-21 08:06:58 UTC<br>        eku: id-kp-serverAuth,id-kp-clientAuth<br>        pre-save command: <br>        post-save command: /usr/lib/ipa/certmonger/restart_dirsrv UNIX-IRISZORG-NL<br>        track: yes<br>        auto-renew: yes<br><br><br></div><div class="gmail_extra">So one down, two to go, it seems.<br><br><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div class="gmail_signature">--<br>Groeten,<br>natxo</div>
</div></div>