[Freeipa-users] Expired certs not auto renewed by Cermonger

Nalin Dahyabhai nalin at redhat.com
Thu May 2 17:30:25 UTC 2013 

On Thu, May 02, 2013 at 11:45:51AM -0500, Toasted Penguin wrote:
> Nalin,
> 
> Thanks for your response.  Running `hostname` does result in
> ipa01.ctidata.net and kinit -k host/ipa01.ctidata.net does also succeed.
> 
> I ran ` ipa-getcert resubmit -i 20120925200227  -K HTTP/
> ipa01.ctidata.net at CTIDATA.NET`
> 
> and it resulted in this:
> 
> Request ID '20120615190133':
> status: CA_UNCONFIGURED
> ca-error: Error setting up ccache for local "host" service using default keytab.
> stuck: yes
> key pair storage: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert',token='NSS Certificate DB'
> certificate: type=NSSDB,location='/etc/pki/nssdb',nickname='Server-Cert'
> CA: IPA
> issuer:
> subject:
> expires: unknown
> track: yes
> auto-renew: yes

Can you retrieve the contents of the request and save it to a temporary
file, like so:
  reqfile=`grep -l '^id=20120615190133' /var/lib/certmonger/requests/*`
  awk '/BEGIN .*REQ/,/END .*REQ/ {sub("^( |csr=)","");print}' $reqfile >\
      ~/req.csr

And then try to manually submit it to the server for signing, in the way
that certmonger would, like so:
  /usr/libexec/certmonger/ipa-submit -P bogus/`hostname` ~/req.csr

Hopefully the error output there will give us more information about
what's going on when the submission helper's failing to set up a ccache.

If it manages to get past that point, I expect it to fail because you
hopefully don't have a principal named "bogus" defined on the local
host.  But at that point we'll have gotten past errors creating the
ccache, and we'll have to find another way to figure out why it failed
here.

As an aside, we provide better information for this error in the
"ca-error" note with later versions than you appear to have, so tracking
down this information won't always be this complicated.

> Request ID '20120925200227':
> status: CA_UNREACHABLE
> ca-error: Server failed request, will retry: -504 (libcurl failed to
> execute the HTTP POST transaction, explaining:  Peer certificate cannot be
> authenticated with known CA certificates).
> stuck: yes
> key pair storage:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB',pinfile='/etc/httpd/alias/pwdfile.txt'
> certificate:
> type=NSSDB,location='/etc/httpd/alias',nickname='Server-Cert',token='NSS
> Certificate DB'
> CA: IPA
> issuer: CN=Certificate Authority,O=CTIDATA.NET
> subject: CN=ipa01.ctidata.net,O=CTIDATA.NET
> expires: 2013-03-24 19:56:36 UTC
> eku: id-kp-serverAuth
> track: yes
> auto-renew: yes

There's an error verifying the server's certificate using the local copy
of the CA certificate in /etc/ipa/ca.crt.  Is it also expired?

Nalin

More information about the Freeipa-users mailing list