<div dir="ltr"><br><div class="gmail_extra"><br><div class="gmail_quote">On Thu, Sep 29, 2016 at 1:16 PM, Rob Crittenden <span dir="ltr"><<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex">Natxo Asenjo wrote:<br>
<blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><span class="gmail-">
<br>
<br>
On Tue, Sep 27, 2016 at 1:42 PM, Rob Crittenden <<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a><br></span><span class="gmail-">
<mailto:<a href="mailto:rcritten@redhat.com" target="_blank">rcritten@redhat.com</a>>> wrote:<br>
<br>
<br>
    It's hard to say, it may in fact not be a problem.<br>
<br>
    It is really a matter of what service the certificate(s) are related<br>
    to. I'd look at the serial numbers and then correlate those to the<br>
    issued certificates.<br>
<br>
    I'd also do a service-find on the hostname to see if any services<br>
    have certificates issued and with what serial numbers.<br>
<br>
<br>
I agree, it could be that. But just for testing I have created a vm,<br>
joined it to the domain and resubmitted the certificate.<br>
<br>
Now there are two valid host certificates with the same subject:<br>
<br>
<br>
  $ ipa cert-find --subject=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.irisz<wbr>org.nl</a><br></span>
<<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszor<wbr>g.nl</a>><span class="gmail-"><br>
----------------------<br>
2 certificates matched<br>
----------------------<br>
   Serial number (hex): 0x3FFE0002<br>
   Serial number: 1073610754<br>
   Status: VALID<br>
   Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a><br></span>
<<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszor<wbr>g.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a><br>
<<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>><span class="gmail-"><br>
<br>
   Serial number (hex): 0x3FFE0003<br>
   Serial number: 1073610755<br>
   Status: VALID<br>
   Subject: CN=<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">throwaway.unix.iriszorg.nl</a><br></span>
<<a href="http://throwaway.unix.iriszorg.nl" rel="noreferrer" target="_blank">http://throwaway.unix.iriszor<wbr>g.nl</a>>,O=<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">UNIX.IRISZORG.NL</a><br>
<<a href="http://UNIX.IRISZORG.NL" rel="noreferrer" target="_blank">http://UNIX.IRISZORG.NL</a>><span class="gmail-"><br>
----------------------------<br>
Number of entries returned 2<br>
----------------------------<br>
<br>
<br>
So it certmonger in this centos 6.8 32bit host is renewing but not<br>
having the old certificate revoked.<br>
</span></blockquote>
<br>
I'd check the Apache log to find the cert_request call to see if you can see if there are any issues raised. It should be doing a cert_revoke at the same time.<br>
<br>
Can you should how this certificate is being tracked?<span class="gmail-HOEnZb"><font color="#888888"><br></font></span></blockquote><div><br></div><div>sure:<br> <br>$ sudo getcert list<br></div></div>Number of certificates and requests being tracked: 1.<br>Request ID '20160929100945':<br>    status: MONITORING<br>    stuck: no<br>    key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>',token='NSS Certificate DB'<br>    certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>',token='NSS Certificate DB'<br>    CA: IPA<br>    issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>    subject: CN=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>    expires: 2018-09-30 10:13:17 UTC<br>    principal name: host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a><br>    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>    eku: id-kp-serverAuth,id-kp-clientAuth<br>    pre-save command: <br>    post-save command: <br>    track: yes<br>    auto-renew: yes<br clear="all"><br></div><div class="gmail_extra">now, let's resubmit:<br><br>$ sudo ipa-getcert resubmit -i 20160929100945<br>Resubmitting "20160929100945" to "IPA".<br>[jose.admin@throwaway ~]$ sudo getcert list<br>Number of certificates and requests being tracked: 1.<br>Request ID '20160929100945':<br>    status: MONITORING<br>    stuck: no<br>    key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>',token='NSS Certificate DB'<br>    certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='IPA Machine Certificate - <a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>',token='NSS Certificate DB'<br>    CA: IPA<br>    issuer: CN=Certificate Authority,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>    subject: CN=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>    expires: 2018-09-30 20:41:28 UTC<br>    principal name: host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a><br>    key usage: digitalSignature,nonRepudiation,keyEncipherment,dataEncipherment<br>    eku: id-kp-serverAuth,id-kp-clientAuth<br>    pre-save command: <br>    post-save command: <br>    track: yes<br>    auto-renew: yes<br><br></div><div class="gmail_extra">so it has been successfully renewed.<br><br></div><div class="gmail_extra">In the access_log of the kdc I see this:<br><br>172.20.4.228 - - [29/Sep/2016:22:41:27 +0200] "POST <a href="https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient">https://kdc03.unix.iriszorg.nl:443/ca/eeca/ca/profileSubmitSSLClient</a> HTTP/1.1" 200 1913<br>172.20.6.81 - host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a> [29/Sep/2016:22:41:27 +0200] "POST /ipa/xml HTTP/1.1" 200 2929<br><br></div><div class="gmail_extra">and in the error_log:<br>[Thu Sep 29 22:41:28.626669 2016] [:error] [pid 4617] ipa: INFO: [xmlserver] host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>: cert_request(u'MIID6DCCAtACAQAwQDEZMBcGA1UEChMQVU5JWC5JUklTWk9SRy5OTDEjMCEGA1UEAxMadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC4jBk7V2D5pX12kYrr++lwsWq1UWHy6PM9O+B/GvxaI0JoARBrhR6MKI1Ev+DV2r5ukNNWHj5+/kKbtW9XI2XMZ9pIBSwG3SG4m9s3gQV3dGQjlRCcU+MgXiDxRtRy2Vdzd1fZ9xdB1txH3ZnZfceTosNw4Jp3bm/VtPChWJeN6K671FLRCzJkI1KrC+LHfGbvyTtOipB5O9t8RkN4Qh01r/rphPvt9Gh+/mTlHnmGP9+sseqHHsgv2fPvRQowpJDEytTX5w/8pLrUCATqJUYfxK5RDuwD1304p3WXDFLoU6p2xaR63h34muj1a5NV1CvQFqJapHB5B/w6uUbLzjg3AgMBAAGgggFhMHcGCSqGSIb3DQEJFDFqHmgASQBQAEEAIABNAGEAYwBoAGkAbgBlACAAQwBlAHIAdABpAGYAaQBjAGEAdABlACAALQAgAHQAaAByAG8AdwBhAHcAYQB5AC4AdQBuAGkAeAAuAGkAcgBpAHMAegBvAHIAZwAuAG4AbDCB5QYJKoZIhvcNAQkOMYHXMIHUMIGhBgNVHREBAQAEgZYwgZOgQAYKKwYBBAGCNxQCA6AyDDBob3N0L3Rocm93YXdheS51bml4LmlyaXN6b3JnLm5sQFVOSVguSVJJU1pPUkcuTkygTwYGKwYBBQICoEUwQ6ASGxBVTklYLklSSVNaT1JHLk5MoS0wK6ADAgEBoSQwIhsEaG9zdBsadGhyb3dhd2F5LnVuaXguaXJpc3pvcmcubmwwDAYDVR0TAQH/BAIwADAgBgNVHQ4BAQAEFgQUgXWL3vdW/I31tQxv5YjyMZy4x8kwDQYJKoZIhvcNAQELBQADggEBAD674/oGYlQTQDSvwf0muYoxBsj1dc6gnArw0JJpGVCNMv/J3FdgOLcOhxzZcOfZiQr4NdYoV+/6mISOhknMa4ErJhqSAWbUA+w3+lL3CHfdDtNueUjZRbPZezcC0rhAlnXBT7iakjuhE56WkZz7AihEU8RAvnZfSRi1mhehf3wFRYKWuzK9AW1DTY/uGMmHXiFtvINpfAJ3yL66xPwTj4087nz9w4YUqNyCX+hYL+7idCJeoMjDyCqYQpjFkdfZhRuNd+rrKWTgYvKN3w/5+ItefDCYy8py91V2kXS7BrsYjd+2YHtQ2AbjgIW2xpTr/+PetToZyL50oWCpduT5t+M=', principal=u'host/<a href="mailto:throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL">throwaway.unix.iriszorg.nl@UNIX.IRISZORG.NL</a>', add=True, version=u'2.51'): SUCCESS<br><br></div><div class="gmail_extra">and now I have 3 valid certificates:<br><br>$ ipa cert-find --subject=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a><br>----------------------<br>3 certificates matched<br>----------------------<br>  Serial number (hex): 0xFF9000D<br>  Serial number: 267976717<br>  Status: VALID<br>  Subject: CN=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br><br>  Serial number (hex): 0x3FFE0002<br>  Serial number: 1073610754<br>  Status: VALID<br>  Subject: CN=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br><br>  Serial number (hex): 0x3FFE0003<br>  Serial number: 1073610755<br>  Status: VALID<br>  Subject: CN=<a href="http://throwaway.unix.iriszorg.nl">throwaway.unix.iriszorg.nl</a>,O=<a href="http://UNIX.IRISZORG.NL">UNIX.IRISZORG.NL</a><br>----------------------------<br>Number of entries returned 3<br>----------------------------<br><br></div><div class="gmail_extra"><br><div class="gmail_signature">--<br>Groeten,<br>natxo</div>
</div></div>