[Freeipa-users] FreeIPA webserver cert expired.

Paul Tader ptader at linuxscope.com
Fri Jun 29 21:55:00 UTC 2012 

On 6/11/12 9:16 AM, Paul Tader wrote:
> On 6/5/12 2:33 PM, Rob Crittenden wrote:
>> JR Aquino wrote:
>>> On Jun 5, 2012, at 11:18 AM, Paul Tader wrote:
>>>
>>>> A couple days ago my (apache) certificates expired. Users are able to
>>>> kinit but tools such as sudo fail because of the expired
>>>> certificates. Lots of reading/Google'ing later I found this script
>>>> (steps) to renew these certs:
>>>
>>> I'm just curious, but, isn't certmonger supposed to automatically
>>> renew these? Is certmonger failing in this case?
>>
>> Yes, the first thing to do is figure out why certmonger didn't
>> automatically renew the certificates. Then it should be as simple as
>> setting the date back, letting certmonger do its thing, then setting it
>> forward again.
>>
>> That is very strange certmonger output. You might try setting the date
>> back a couple of days and trying something like:
>>
>> ipa-getcert resubmit -i 20110706215145
>>
>> And see what the status goes to.
>>
>> rob
>
> (Sorry for the delay reply)
>
> No luck with setting the date back and resubmitting the certificate.
>
>
>
> # /etc/init.d/ntpd stop
> Stopping ntpd (via systemctl):                             [  OK  ]
>
> # date 060112002012
> Fri Jun  1 12:00:00 CDT 2012
>
> # /etc/init.d/httpd stop
> Stopping httpd (via systemctl):                            [  OK  ]
> # /etc/init.d/httpd start
> Starting httpd (via systemctl):                            [  OK  ]
>
> # ipa-getcert resubmit -i 20110706215145
> Resubmitting "20110706215145" to "IPA".
>
> # ipa-getcert list
> Number of certificates and requests being tracked: 3.
> Request ID '20110706215109':
>      status: CA_UNREACHABLE
>      ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction, explaining:  SSL connect error).
>      stuck: yes
>      key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-CTIDATA-NET//pwdfile.txt'
>      certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-CTIDATA-NET',nickname='Server-Cert',token='NSS
> Certificate DB'
>      CA: IPA
>      issuer: CN=Certificate Authority,O=RELAM.NET
>      subject: CN=srv01.company.net,O=REALM.NET
>      expires: 2012-06-03 20:19:49 UTC
>      eku: id-kp-serverAuth
>      track: yes
>      auto-renew: yes
> Request ID '20110706215129':
>      status: CA_UNREACHABLE
>      ca-error: Server failed request, will retry: -504 (libcurl failed
> to execute the HTTP POST transaction, explaining:  SSL connect error).
>      stuck: yes
>      key pair storage:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/dirsrv/slapd-PKI-IPA//pwdfile.txt'
>      certificate:
> type=NSSDB,location='/etc/dirsrv/slapd-PKI-IPA',nickname='Server-Cert',token='NSS
> Certificate DB'
>      CA: IPA
>      issuer: CN=Certificate Authority,O=REALM.NET
>      subject: CN=srv01.company.net,O=REALM.NET
>      expires: 2012-06-03 20:19:49 UTC
>      eku: id-kp-serverAuth
>      track: yes
>      auto-renew: yes
> Request ID '20110706215145':
>      status: GENERATING_CSR
>      ca-error: Server failed request, will retry: 4301 (RPC failed at
> server.  Certificate operation cannot be completed: Unable to
> communicate with CMS (Unauthorized)).
>      stuck: no
>      key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
>      certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
>      CA: IPA
>      issuer: CN=Certificate Authority,O=REALM.NET
>      subject: CN=srv01.company.net,O=REALM.NET
>      expires: 2012-06-03 20:19:49 UTC
>      eku: id-kp-serverAuth
>      track: yes
>      auto-renew: yes
>
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users


Still working on this problem.  I've imported new self signed certs 
because I don't think I can renew expired certs and now all of the 
entries list like this:

Request ID '20110706215145':
	status: NEED_CSR_GEN_TOKEN
	ca-error: Error setting up ccache for local "host" service using 
default keytab.
	stuck: yes
	key pair storage: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
	certificate: 
type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS 
Certificate DB'
	CA: IPA
	issuer: CN=Certificate Authority,O=REALM.NET
	subject: CN=ipa01.domain.net,O=REALM.NET
	expires: 2012-06-03 20:19:49 UTC
	eku: id-kp-serverAuth
	track: yes
	auto-renew: yes


Any tips or suggestions? I've saved off the old files so I think I can 
go back to the expired certs.

More information about the Freeipa-users mailing list