<div dir="ltr">ok, so all certs are renewed (dogldap and http).<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Sep 20, 2016 at 11:49 AM, Natxo Asenjo <span dir="ltr"><<a href="mailto:natxo.asenjo@gmail.com" target="_blank">natxo.asenjo@gmail.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote"><span class="">On Mon, Sep 19, 2016 at 5:27 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br></span><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="">Natxo Asenjo wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span>
hi,<br>
<br>
<br>
On Fri, Sep 16, 2016 at 4:22 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a></span><br></blockquote></span>
Ok, how about we work around the problem.<br>
</blockquote><div><br></div><div>Gladly ;-)<br> <br></div><span class=""><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">
Since it is failing on the revocation what you might try is removing the userCertificate value from the ldap/<a href="http://kdc01.unix.iriszorg.nl" rel="noreferrer" target="_blank">kdc01.unix.iriszorg.nl</a> service entry.<br>
<br>
I think this will work:<br>
<br>
$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl" rel="noreferrer" target="_blank">kdc01.unix.iriszorg.nl</a> |grep Serial<br>
<note this down for later><br>
<br>
$ ipa service-mod --certificate= ldap/<a href="http://kdc01.unix.iriszorg.nl" rel="noreferrer" target="_blank">kdc01.unix.iriszorg.nl</a><br>
<br>
If this doesn't work you can use ldapmodify to delete the usercertificate value.<br>
<br>
This will remove the certificate value so there is nothing to revoke and a new cert will be saved (hopefully).<br>
<br>
Now try to resubmit the request via certmonger.<br>
<br>
It if works then you can run ipa cert-revooke <old serial #><br>
<br>
It isn't a great answer long-term because it is really just working around the problem but it should get the certs renewed.<span><font color="#888888"><br>
</font></span><br></blockquote></span></div><br></div><div class="gmail_extra">ok, so I restarted the httpd service then I could use ipa service-show:<br><br clear="all"></div><div class="gmail_extra"><span class="">$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a> |grep Serial<br></span>  Serial Number: 175<br>  Serial Number (hex): 0xAF<br>bash-4.1$ ipa service-mod --certificate= ldap/<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a><br>------------------------------<wbr>------------------------------<wbr>---<br>Modified service "ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">kdc01.unix.iriszorg.nl@<wbr>UNIX.IRISZORG.NL</a>"<br>------------------------------<wbr>------------------------------<wbr>---<br>  Principal: ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">kdc01.unix.iriszorg.nl@<wbr>UNIX.IRISZORG.NL</a><br>  Managed by: <a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a><br><br><br>bash-4.1$ sudo ipa-getcert resubmit -i 20121107212513                <wbr>           Resubmitting "20121107212513" to "IPA".<br>bash-4.1$ sudo getcert list<span class=""><br>Number of certificates and requests being tracked: 8.<br>Request ID '20121107212513':<br>        status: CA_UNREACHABLE<br></span><span class="">        ca-error: Server failed request, will retry: 4301 (RPC failed at server.  Certificate operation cannot be completed: Failure decoding Certificate Signing Request).<br>        stuck: yes<br></span><span class="">        key pair storage: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-UNIX-IRISZORG-NL'<wbr>,nickname='Server-Cert',token=<wbr>'NSS Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-UNIX-IRISZORG-NL/<wbr>pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-UNIX-IRISZORG-NL'<wbr>,nickname='Server-Cert',token=<wbr>'NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL" target="_blank">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL" target="_blank">UN<wbr>IX.IRISZORG.NL</a><br>        expires: 2016-10-12 10:49:24 UTC<br>        eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>        pre-save command:<br>        post-save command: /usr/lib/ipa/certmonger/<wbr>restart_dirsrv UNIX-IRISZORG-NL<br>        track: yes<br>        auto-renew: yes<br><br><br><br></span></div><div class="gmail_extra">the certificate is gone:<br>$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a> <br>ipa: ERROR: Could not create log_dir u'/home/jose.admin/.ipa/log'<br>  Principal: ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">kdc01.unix.iriszorg.nl@<wbr>UNIX.IRISZORG.NL</a><br>  Keytab: True<br>  Managed by: <a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a><br><br><br></div><div class="gmail_extra">But then I thought, what the hell, let's try again, restarted httpd, resubmitted it, and now it did work ;-)<br><br>$ ipa service-show ldap/<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a> <br>  Principal: ldap/<a href="mailto:kdc01.unix.iriszorg.nl@UNIX.IRISZORG.NL" target="_blank">kdc01.unix.iriszorg.nl@<wbr>UNIX.IRISZORG.NL</a><br>  Certificate: MIIDrDCCApSgAwIBAgICAPUwDQYJKo<wbr>ZIhvcNAQELBQAwOzEZMBcGA1UEChMQ<wbr>VU5JWC5JUklTWk9SRy5OTDEeMBwGA1<wbr>UEAxMVQ2VydGlmaWNhdGUgQXV0aG9y<wbr>aXR5MB4XDTE2MDkyMDA4MDY1OFoXDT<wbr>E4MDkyMTA4MDY1OFowPDEZMBcGA1UE<wbr>ChMQVU5JWC5JUklTWk9SRy5OTDEfMB<wbr>0GA1UEAxMWa2RjMDEudW5peC5pcmlz<wbr>em9yZy5ubDCCASIwDQYJKoZIhvcNAQ<wbr>EBBQADggEPADCCAQoCggEBAO2QVqrF<wbr>Rb/<wbr>Q5dhkAi7BK29BJhqTvbaH3bNDLvhe1<wbr>snyChdlr/AIwrJj/<wbr>53Ti2eJ7u1BtV7u3gSwQ3/<wbr>xJ0HwUZmOEQHCNDrjcGy+<wbr>iw7lqkC5NaZ8AGt8bSTGWwnJvEGWrb<wbr>3uEJzVZf+xB5eZa8vFXr+<wbr>Jlcfoq8DbVZhX274pmpVfQOnRckD+<wbr>AmncuEItHpcJCCHneF0QzA5DQqlTPU<wbr>FerFm3F/iI/<wbr>k6g9XbHQaNejcUYdhXpy9q0mEuBIIs<wbr>EzTeNWTTEsUYX5TPVEsN3x2feA0icx<wbr>R6bUTeg2BqSu7ZOuM55iBp3l0d9UAQ<wbr>7W7yh76FI/<wbr>Bqz8vIMdS6VsurPS4asLa8CAwEAAaO<wbr>BuDCBtTAfBgNVHSMEGDAWgBSjl+<wbr>SKLrjPPuoz8ryT1iPeqYQ2aDBEBggr<wbr>BgEFBQcBAQQ4MDYwNAYIKwYBBQUHMA<wbr>GGKGh0dHA6Ly9rZGMwMS51bml4Lmly<wbr>aXN6b3JnLm5sOjgwL2NhL29jc3AwDg<wbr>YDVR0PAQH/<wbr>BAQDAgTwMB0GA1UdJQQWMBQGCCsGAQ<wbr>UFBwMBBggrBgEFBQcDAjAdBgNVHQ4E<wbr>FgQUBIRsG98GBkIyB/<wbr>BgQKloUlLEJeEwDQYJKoZIhvcNAQEL<wbr>BQADggEBAHN+<wbr>ggklVf2uzaePwEI9rMObe0WZeOyCLZ<wbr>xEtigDaJIHkq3GzkugxcG8ivD/<wbr>LnuF0D8m07npfpIMC3QRUJQjFjz6E3<wbr>rKtqau0QY0BO+<wbr>Dwg1TzItQqXxgHtCqcQ7bmahj2AMPR<wbr>NUXeZck0p/<wbr>eueG4wj2kbLwTLU6cOfwnT4IOfszAS<wbr>9GCql6oQIXlOfG6i6DAodBpgWziDfI<wbr>rRJsJi4ZE+FvJL/ImJDdW+<wbr>En50UyGp0n31oMSDIxWf1bdWUctSEY<wbr>hcy9JftzkitNm1FD+<wbr>a1HzeYyuHthzlHHcSIXN/<wbr>kXRSGktpe8VHE5XLtKnH92vmkMnyxZ<wbr>vE///2+ExHXIAOkwq3ck=<br>  Keytab: True<br>  Managed by: <a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a><br>  Subject: CN=<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL" target="_blank">UN<wbr>IX.IRISZORG.NL</a><br>  Serial Number: 245<br>  Serial Number (hex): 0xF5<br>  Issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL" target="_blank">UNIX.IRISZORG.NL</a><br>  Not Before: Tue Sep 20 08:06:58 2016 UTC<br>  Not After: Fri Sep 21 08:06:58 2018 UTC<br>  Fingerprint (MD5): f8:d3:cb:6f:4c:ca:e4:f3:47:65:<wbr>51:d3:2c:69:84:df<br>  Fingerprint (SHA1): e3:0a:66:19:d7:36:fe:c4:ff:58:<wbr>bf:90:35:3e:0b:31:cb:a0:58:37<br><br></div><div class="gmail_extra">So I could revoke the old one:<br><br>$ ipa cert-revoke 175<br>  Revoked: True<br><br><br></div><div class="gmail_extra">and now getcert list shows the certificate is ok:<span class=""><br><br>Number of certificates and requests being tracked: 8.<br>Request ID '20121107212513':<br></span>        status: MONITORING<br>        stuck: no<span class=""><br>        key pair storage: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-UNIX-IRISZORG-NL'<wbr>,nickname='Server-Cert',token=<wbr>'NSS Certificate DB',pinfile='/etc/dirsrv/<wbr>slapd-UNIX-IRISZORG-NL/<wbr>pwdfile.txt'<br>        certificate: type=NSSDB,location='/etc/<wbr>dirsrv/slapd-UNIX-IRISZORG-NL'<wbr>,nickname='Server-Cert',token=<wbr>'NSS Certificate DB'<br>        CA: IPA<br>        issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL" target="_blank">UNIX.IRISZORG.NL</a><br>        subject: CN=<a href="http://kdc01.unix.iriszorg.nl" target="_blank">kdc01.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL" target="_blank">UN<wbr>IX.IRISZORG.NL</a><br></span>        expires: 2018-09-21 08:06:58 UTC<span class=""><br>        eku: id-kp-serverAuth,id-kp-<wbr>clientAuth<br>        pre-save command: <br>        post-save command: /usr/lib/ipa/certmonger/<wbr>restart_dirsrv UNIX-IRISZORG-NL<br>        track: yes<br>        auto-renew: yes<br><br><br></span></div><div class="gmail_extra">So one down, two to go, it seems.<br><br><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><br></div><div class="gmail_extra"><div>--<br>Groeten,<br>natxo</div>
</div></div>
</blockquote></div><br><br clear="all"><br>-- <br><div class="gmail_signature" data-smartmail="gmail_signature">--<br>Groeten,<br>natxo</div>
</div>